LNCS 2971 




Jong In Lim 
Dong Hoon Lee (Eds.) 



Information Security 
and Cryptology - 



ICISC 2003 

6th International Conference 
Seoul, Korea, November 2003 
Revised Papers 




Lecture Notes in Computer Science 

Edited by G. Goos, J. Hartmanis, and J. van Leeuwen 



2971 




Jong In Lim Dong Hoon Lee (Eds.) 



Information Security 
and Cryptology - 



ICISC 2003 



6th International Conference 
Seoul, Korea, November 27-28, 2003 
Revised Papers 




Springer 




Series Editors 



Gerhard Goos, Karlsruhe University, Germany 
Juris Hartmanis, Cornell University, NY, USA 
Jan van Leeuwen, Utrecht University, The Netherlands 

Volume Editors 

Jong hi Lim 
Dong Hoon Lee 
Korea University 

1,5-Ka, Anam-dong Sungbuk-ku, Seoul, 136-701, Korea 
E-mail : {j ilim/ donghlee} @ korea. ac . kr 



Library of Congress Control Number: 200410281 1 



CR Subject Classification (1998): E.3, G.2.1, D.4.6, K.6.5, F.2.1, C.2, J.l 
ISSN 0302-9743 

ISBN 3-540-21376-7 Springer- Verlag Berlin Heidelberg New York 



This work is subject to copyright. All rights are reserved, whether the whole or part of the material is 
concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, 
reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication 
or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1 965, 
in its current version, and permission for use must always be obtained from Springer- Verlag. Violations are 
liable for prosecution under the German Copyright Law. 

Springer- Verlag is a part of Springer Science+Business Media 
springeronline.com 

© Springer-Verlag Berlin Heidelberg 2004 
Printed in Germany 

Typesetting: Camera-ready by author, data conversion by DA-TeX Gerd Blumenstein 
Printed on acid-free paper SPIN: 10992845 06/3142 5 4 3 2 1 0 




Preface 



We would like to express a hearty welcome to all the participants of the 6th In- 
ternational Conference on Information Security and Cryptology (ICISC 2003). 
It was organized by the Korea Institute of Information Security and Cryptology 
(KIISC) and sponsored by the Korean Ministry of Information and Communi- 
cation, and was held at the Seoul Olympic Parktel, Korea from November 27 to 
28, 2003. As in the five previous years, it served as a forum to bring together 
researchers from academia and commercial developers from industry to discuss 
the current state of the art in information security and cryptology. 

The Program Committee received 163 submissions from 25 countries and re- 
gions (Australia, Austria, Belgium, Canada, China, Finland, France, Germany, 
Hong Kong, India, Indonesia, Iran, Italy, Japan, Korea, Netherlands, Malaysia, 
Poland, Russia, Switzerland, Singapore, Taiwan, Turkey, UK, and USA), of 
which 32 papers were selected for presentation. All submissions were anony- 
mously reviewed by at least 3 experts in the relevant areas. There were two 
invited talks, by Jonathan Katz and Jean-Jacques Quisquater. 

We are very grateful to all the Program Committee members who devoted 
much effort and valuable time to reading and selecting the papers. We also thank 
the external experts who assisted the Program Committee in evaluating various 
papers. We owe special thanks to Jung Yeon Hwang and Judy Kang for always 
being available when their helping hand was needed. 

Finally, we would like to thank all the authors who submitted papers to ICISC 
2003, including those whose submissions were not successful, and the participants 
who together made this conference an intellectually stimulating event through 
their active contribution. 



December 2003 



Jong In Lim, Dong Hoon Lee 




ICISC 2003 



2003 International Conference 
on Information Security 
and Cryptology 

Seoul Olympic Parktel, Seoul, Korea 
November 27—28, 2003 



Organized, by 

Korea Institute of Information Security and Cryptology (KIISC) 
(http: / / www.kiisc.or.kr) 



Sponsored by 

MIC (Ministry of Information and Communication) , Korea 
(http://www.mic.go.kr) 




Organization 



General Chair 
Se Hun Kim 

Program Co- chairs 

Jong In Lim 
Dong Hoon Lee 

Program Committee 

Ronald Cramer 
Zongduo Dai 
Ed Dawson 
Robert H. Deng 
Jovan Golic 
Gene Itkis 
Markus Jakobsson 
Kwangjo Kim 
Pil Joong Lee 
Seongan Lim 
Masahiro Mambo 
Sang Jae Moon 
Chanathip Namprempre 
David Naccache 
Tatsuaki Okamoto 
Choonsik Park 
Dingyi Pei 
David Pointcheval 
Bart Preneel 
Jean-Jacques Quisquater 
Kouichi Sakurai 
Palash Sarkar 
Nigel Smart 
Serge Vaudenay 
Sung-Ming Yen 
Moti Yung 



KAIST, Korea - 



Korea University, Korea 
Korea University, Korea 



Aarhus, Denmark 
Academia Sinica, China 

Queensland University of Technology, Australia 

Institute for Infocomm Research, Singapore 

Tilab, Telecom Italia, Italy 

Boston University, USA 

RSA Laboratories, USA 

ICU, Korea 

POSTECH, Korea 

Korea Information Security Agency, Korea 
Tohoku University, Japan 
Kyungpook National University, Korea 
Thammasat University, Thailand 
Gemplus Card International, Prance 
NTT, Japan 
ETRI, Korea 

Chinese Academy of Science, China 
CNRS/ENS, Prance 

Katholieke Universiteit Leuven, Belgium 

UCL, Belgium 

Kyushu University, Japan 

Indian Statistical Institute, India 

University of Bristol, UK 

EPFL, Switzerland 

National Central University, Taiwan 

Columbia University, USA 




VIII Preface 



Organizing Committee Chair 

Heung Youl Youm Soonchunhyang University, Korea 



Organizing Committee 

HaGwang Soo Rhee 
Ji Hong Kim 
Kyo II Chung 
Jae Cheol Ha 
Hong Geun Kim 
Su Kyung Chae 
Kyung Sim Kim 



Sookmyung Women’s University, Korea 
Semyung University, Korea 
ETRI, Korea 

Korea Nazarene University, Korea 
KISA, Korea 
MIC, Korea 
KIISC, Korea 



External Reviewers 



Alex Biryukov 
Alex Dent 
Andrew Clark 
Beatrice Peirani 
Bo-Ching Wu 
Chang Seop Park 
Chao-Chih Hsu 
Chi-Dian Wu 
Chien-ning Chen 
Chong Hee KIM 
Christophe De Canniere 
Claude Barral 
Dae Hyun Yum 
Dan Page 
Dario Catalano 
Dingyi Pei 
Dong Jin PARK 
Emmanuel Bresson 
Eric Brier 



Eul Gyu Im 
Prederik Vercauteren 
G. Hanaoka 
Geriant Price 
Gildas Avoine 
Gregory Neven 
Guohua Xiong 
Helena Handschuh 
Helger Lipmaa 



Henry Lee 
Hisashi Inoue 
Hsi-Chung Lin 
Huafei Zhu 
Hyeong Joon Kim 
Hyeong Joong Kim 
In Kook Park 
Jacques Fournier 
Jae Hwan Park 
Javier Herranz Sotoca 
Javier Herranz Sotoca 
Jean Monnerat 
Jean Sebastien Coron 
Jean-Francois Dhem 
Ji Hyun Jeong 
John Malone-Lee 
Jonghoon Shin 
Joon-Hah Park 
Joseph Lano 
Juanma Gonzalez-Nieto 
Julien Brouchier 
JuSung Kang 
Katsu Okeya 
Kazu Fukushima 
Kazuto Matsuo 
Kenji Imamoto 
Ki Sik Chang 
Kishan Chand Gupta 
Kun Peng 



E-Transaction Protection Tech team 




Preface 



IX 



Lauren May 
Lejla Batina 
Lionel Victor 
Louis Granboulan 
Marc Joye 
Mark Looi 
Martijn Stain 
Masanobu Koike 
Matt Henricksen 
Matthew Dailey 
Mike Szydlo 
Moriai Shiho 
Mridul Nandi 
Naouel Ben Salem 
Nora Dabbous 
Olivier Benoit 
Olivier Chevassut 
Pascal Guterma 
Pascal Junod 
Pascal Paillier 
Philippe Oechslin 
Pierre- Alain Fouque 
Pierrick Gaudry 
Pinakpani Pal 
Pradeep Kumar Mishra 
Qingjun Cai 
R. Sakai 

Renato Menicocci 
Sang Gyoo SIM 
Sang Yun Han 
Sebastien Canard 
Selwyn Russell 
Seok Won Jeong 



SeongTaek Chee 
SeungJoo Kim 
Shouhuai Xu 
Shunsuke Araki 
Simon Blackburn 
Sourav Mukhopadhyay 
Steven Galbraith 
Subhamoy Maitra 
Sugata Gangopadhyay 
Sung Ho Yoo 
Taweesak Kitkarnjanarat 
Tieyan Li 
Tomo Asano 
Tony Rhodes 
Toshihiro Tabata 
Tsuyoshi Takagi 
Vittorio Bagini 
Vo Due Liem 
Xiaofeng Chen 
Yaron Sella 
Yasuyuki Sakai 
Yasuyuki Sakai 
Yeon Hyeong Yang 
YiLu 

Yong Ho Hwang 
Yong Li 
Yong Man Ro 
Yongdong Wu 

Yongyuth Permpoontanalarp 
Young Tae Youn 
YS Her 

Yvonne hitchcock 




Table of Contents 



Invited Talk 

Binary Tree Encryption: Constructions and Applications 

Jonathan Katz 1 

Digital Signatures I 

A Separable Threshold Ring Signature Scheme 

Joseph K. Liu, Victor K. Wei, and Duncan S. Wong 12 

On the Security of a Group Signature Scheme with Forward Security 
Guilin Wang 27 

An Efficient Strong Designated Verifier Signature Scheme 

Shahrokh Saeednia, Steve Kremer, and Olivier Markowitch 40 

Primitives 

Sound Computational Interpretation of Formal Encryption 
with Composed Keys 

Peeter Laud and Ricardo Corin 55 

On the Security of a New Variant of OMAC 

Tetsu Iwata and Kaoru Kurosawa 67 

New Methods to Construct Cheating Immune Functions 

Wen Ping Ma and Moon Ho Lee 79 

Yet Another Definition of Weak Collision Resistance and Its Analysis 
Shoichi Hirose 87 

Fast Implementations 

Implementation of Tate Pairing on Hyperelliptic Curves of Genus 2 

Young Ju Choie and Eunjeong Lee 97 

A General Expansion Method Using Efficient Endomorphisms 

Tae-Jun Park, Mun-Kyu Lee, E-yong Kim, and Kunsoo Park 112 




Table of Contents 



XI 



Design of Bit Parallel Multiplier with Lower Time Complexity 
Seon Ok Lee, Seok Won Jung, Chang Han Kim, Janghong Yoon, 

Jae-Young Koh, and Daeho Kim 127 

Architecture for an Elliptic Curve Scalar Multiplication Resistant 
to Some Side-Channel Attacks 

Joong Chul Yoon, Seok Won Jung, and Sungwoo Lee 139 

Efficient Scalar Multiplication in Hyperelliptic Curves 
Using A New Erobenius Expansion 

Tae-Jun Park, Mun-Kyu Lee, and Kunsoo Park 152 

Computer’ Security/Mobile Security 

Adaptive Protocol for Entity Authentication and Key Agreement 
in Mobile Networks 

Muxiang Zhang 166 

Extended Role Based Access Control and Procedural Restrictions 

Wook Shin, Dong-Ik Lee, Hyoung-Chun Kim, Jung-Min Kang, 

and Jin- Seok Lee 184 

Layer-Based Access Control Model in the Manufacturing Infrastructure 
and Design Automation System 

Yuan Zhang, Moon Jung Chung, and Hyun Kim 197 

Voting/ Auction Protocols 

Secure Double Auction Protocols with Pull Privacy Protection 

Changjie Wang, Ho-fung Leung, and Yumin Wang 215 

Sealed-Bid Auctions with Efficient Bids 

Torn Nakanishi, Daisuke Yamamoto, and Yuji Sugiyama 230 

Providing Receipt-Freeness in Mixnet-Based Voting Protocols 
Byoungcheon Lee, Colin Boyd, Ed Dawson, Kwangjo Kim, 

Jeongmo Yang, and Seungjae Yoo 245 

Receipt-Free Electronic Auction Schemes Using Homomorphic Encryption 
Xiaofeng Chen, Byoungcheon Lee, and Kwangjo Kim 259 

Watermarking 

Software Watermarking Through Register Allocation: Implementation, 

Analysis, and Attacks 

Ginger Myles and Christian Collberg 274 

Analysis of the Bounds for Linear Block Codes in Watermark Channel 
Limin Gu, Jiwu Huang, and Zewen Chen 294 




XII Table of Contents 



Digital Signatures II 

Security Analysis of Some Proxy Signatures 

Guilin Wang, Feng Bao, Jianying Zhou, and Robert H, Deng 305 

A More Secure and Efficacious TTS Signature Scheme 

Jiun-Ming Chen and Bo- Yin Yang 320 

An Efficient Revocation Algorithm in Group Signatures 

Zewen Chen, Jilin Wang, Yumin Wang, Jiwu Huang, and Daren Huang . , 339 

Efficient Forward and Provably Secure ID-Based Signcryption Scheme 

with Public Verifiability and Public Ciphertext Authenticity 

Sherman S.M. Chow, S.M. Yiu, Lucas C.K. Hui, and K.P. Chow 352 

Authentication/Threshold Protocols 

Group Oriented Cryptosystems Based on Linear Access Structures 

Wen Ping Ma and Moon Ho Lee 370 

A New Algorithm for Searching a Consistent Set of Shares 
in a Threshold Scheme with Cheaters 

Raylin Tso, Ying Miao, and Eiji Okamoto 377 

Non-interactive Deniable Ring Authentication 

Willy Susilo and Yi Mu 386 

Block/Stream Ciphers 

Differential Cryptanalysis of TEA and XTEA 

Seokhie Hong, Deukjo Hong, Youngdai Ko, Donghoon Chang, 

Wonil Lee, and Sangjin Lee 402 

A Complete Divide and Conquer Attack on the Alphal Stream Cipher 
K. Chen, L. Simpson, M, Henricksen, W. Millan, and E. Dawson 418 

New Block Cipher: ARIA 

Daesung Kwon, Jaesung Kim, Sangwoo Park, Soo Hak Sung, 

Yaekwon Sohn, Jung Hwan Song, Yongjin Yeom, E-Joong Yoon, 

Sangjin Lee, Jaewon Lee, Seongtaek Chee, Daewan Han, and Jin Hong . . . 432 

Truncated Differential Attacks on 8-Round CRYPTON 

Jongsung Kim, Seokhie Hong, Sangjin Lee, Junghwan Song, 

and Hyungjin Yang ■ 446 



Author Index 



457 




Binary Tree Encryption: 
Constructions and Applications 



Jonathan Katz* 



Department of Computer Science 
University of Maryland 
College Park, MD, USA 

jkatzOcs .umd.edu 



Abstract. Binary tree encryption (BTE), a relaxation of hierarchical 
identity-based encryption (HIBE), has recently emerged as a useful and 
intriguing primitive. On the one hand, the definition of security for BTE 
is sufficiently “weak” that — in contrast to HIBE — constructions of 
BTE in the standard model are known. On the other hand, BTE is 
sufficiently powerful that it yields a number of applications which are 
important from both a theoretical and a practical point of view. 

This survey presents the basic definitions of BTE and also highlights 
some recent applications of BTE to forward-secure encryption, identity- 
based and hierarchical identity-based encryption, chosen-ciphertext se- 
curity, and adaptively-secure encryption. 



1 Introduction 

The notion of identity-based cryptography has long fascinated researchers [23]. 
Loosely speaking, in such a scheme any identity (i.e., bit-string) can serve as 
a public key. In somewhat more detail, there is a (trusted) private-key generator 
PKG who generates master system parameters pa rams along with a master secret 
key sk. For any identity id £ {0, 1}* the PKG can use sk to compute a secret 
key SKid corresponding to this identity. The pair ( id , SKid) then functions as 
a standard public-/private-key pair (with the important distinction that id can 
be any string!) whose functionality is determined by the underlying identity- 
based scheme. (The PKG would presumably authenticate the identity of the 
person claiming “ id ” before giving them the corresponding secret key SKid- 
However, this is outside the scope of the present discussion.) An identity-based 
system is secure (informally) if knowledge of the secret keys corresponding to 
any arbitrary-size set of identities X = {id \, . . . , id n } does not allow an adversary 
to “break” the scheme (in the appropriate sense) for any id' qL X. 

Shamir [23] was the first to suggest an implementation of an identity-based 
signature scheme. Following this, many provably-secure proposals for identity- 
based signature and identification schemes followed (e.g., [13, 16]); some of these 

* Portions of this work were supported by NSF grant #ANI-0310751. 



J.I. Lim and D.H. Lee (Eds.): ICISC 2003, LNCS 2971, pp. 1—11, 2004. 
(c) Springer- Verlag Berlin Heidelberg 2004 



2 



Jonathan Katz 



constructions were recently generalized and expanded upon in [11]. Although 
these constructions are proven secure in the random oracle model, note that it is 
also possible to construct identity-based signatures in the standard model based 
on any “regular” signature scheme (see [11]). 

Recently, Boneh and Franklin [5] and Cocks [10] resolved a long-standing 
open problem by constructing the first identity-based public-key encryption 
schemes. Both of these constructions are proven secure in the random oracle 
model. Since encryption schemes are the focus of this article (and are more in- 
teresting in the sense that they are more difficult to construct), we consider only 
encryption from now on. 

It is natural to extend the notion of identity-based encryption (IBE) to in- 
clude hierarchical identity-based encryption (HIBE). In an HIBE scheme, the 
PKG (as above) issues secret keys to “first-level” identities id £ {0, 1}*; further- 
more, anyone knowing the secret key SK i dl corresponding to a “first-level” iden- 
tity id\ can issue a secret key SK idl ^ ld2 corresponding to any “second- level” iden- 
tity idi\\id 2 (for arbitrary id 2 £ {0, 1}*). More generally, let ID = (*di|| ■ ■ ■ ||*<i t ) 
and let SKjr> be the secret key corresponding to this identity. Then for any string 
idt+i £ {0,1}* and identity ID' = f (ID\\id t +i), knowledge of SKm enables 
computation of a key SKjn>. As before, in all these cases the pair (ID, SAT/d) 
functions as a “standard” public-/private-key pair. The security requirement is 
modified in the obvious way: now, one requires that knowledge of the secret 
keys corresponding to any arbitrary-size set of identities X = {ID i, . . . ,ID n } 
should not enable an adversary to “break” the scheme (in some appropriate 
sense) for any ID' having no ancestors in X, where the ancestors of an identity 
ID = (idi\ \ ■ ■ ■ || id n ) are all identities of the form (*di|| ■ • • \ \idi) for i < n. 

Horwitz and Lynn [17] were the first to suggest the notion of HIBE, and 
they also propose a partial solution handling identities of depth two. Gentry 
and Silverberg [14] were the first to give a complete solution to this problem, 
and they construct and prove secure a scheme supporting identities of arbitrary 
(constant) depth. Both of these constructions build on the IBE scheme of Boneh 
and Franklin [5], and both are proven secure in the random oracle model. 

1.1 Binary Tree Encryption 

It can be immediately noticed that the identities in a hierarchical identity-based 
scheme correspond in the natural way to nodes in a tree. Specifically, one may 
associate the PKG with the root of the tree, the “first-level” identities with 
the nodes of depth one (i.e., the children of the root), and the identity ID' = 
[idi 1 1 • • • | \idt+i) with a node at depth t + 1 which is the child of a node at depth t 
which is in turn associated with ID = (idi\ \ ■ ■ ■ \\idt). 

In a scheme as outlined above, the identity hierarchy yields a tree of un- 
bounded degree. In contrast, a binary tree encryption (BTE) scheme [7] — as 
the name suggests — considers only an identity hierarchy in the form of a bi- 
nary tree (i.e., a tree in which each node has degree two). Viewing BTE as 
a conceptual relaxation of HIBE, one obtains a scheme in which the PKG may 



Binary Tree Encryption: Constructions and Applications 3 

potentially issue secret keys to (only) two “identities”: 0 and 1. In turn, the 
“identity” 0 (with knowledge of the appropriate secret key SKq) can potentially 
issue secret keys for the “identities” 00 and 01; an analogous statement holds for 
the “identity” 1. More generally (and dispensing with the purely imaginary con- 
cept of “identities” here), the secret key SK W corresponding to the binary string 
w € {0, 1 } ( enables derivation of the secret keys SK w0 and SK W i corresponding 
to the strings ui0,w>1 £ {0,1}* +1 . As in the case of hierarchical identity-based 
encryption, each pair (w, SK W ) functions as a public-/private-key pair. A def- 
inition of security is developed in a way similar (but slightly different) to that 
discussed above in the context of hierarchical identity-based encryption; a formal 
definition appears in Section 2. 

“Relaxing” the notion of hierarchical identity-based encryption in this way 
turns out to be an incredibly powerful idea. For one, a BTE scheme supporting 
trees of arbitrary polynomial depth has recently been constructed and proven 
secure in the standard model [7] (recall that in the case of HIBE, only a scheme 
of constant depth with a proof of security in the random oracle model [14] is 
known) . The proof relies on a reasonable number-theoretic assumption (namely, 
the decisional bilinear Diffie-Hellman assumption) related 1 to that used by 
Boneh and Franklin in constructing their ID-based scheme [5] . This construction 
of a BTE scheme builds on the construction of Gentry and Silverberg with an 
important “twist”: because a binary tree is used (and because of a slight relax- 
ation of the security definition) , it is possible to replace the random oracle with 
a poly(fc)-wise independent hash function, a description of which is included as 
part of the master system parameters. 

Equally important, the “relaxed” notion of BTE is surprisingly powerful and 
suffices for a number of applications: 

— BTE was used to construct the first forward-secure encryption scheme [7] 
(indeed, the notion of BTE was introduced in the context of research di- 
rected toward solving this problem). Note that this is currently the only 
methodology known for achieving forward-secure encryption. 

— BTE implies both identity-based encryption as well as hierarchical identity- 
based encryption [7], albeit only with respect to a non- adaptive definition 
of security which is weaker than the definition originally proposed [5]. This 
results in the first constructions of IBE and HIBE schemes which may be 
proven secure in the standard model. 

— Recent work [8] shows that any IBE scheme (even if “only” secure against 
non-adaptive attacks) can be used to construct a standard public-key encryp- 
tion scheme secure against adaptive chosen-ciphertext attacks (i.e. , a CCA- 
secure scheme; cf. [3]). Given the result mentioned above, this yields a new 
construction of a CCA-secure encryption scheme in the standard model. In- 
terestingly, the construction seems not to follow the paradigms underlying 
all previous constructions of CCA-secure encryption schemes (cf. [12]). 



1 It is also possible to base a BTE scheme on the identical assumption used by Boneh 
and Franklin (in the standard model) at the expense of a loss in efficiency. 



4 



Jonathan Katz 



— Finally, it has recently been shown [9] how to construct an adaptively-secure 
encryption scheme with “short” keys (namely, with keys shorter than the 
length of all plaintext messages sent — in fact, the length of plaintext to 
be encrypted may be a priori unbounded) based on any forward-secure en- 
cryption scheme plus an NIZK proof system. 2 We comment that adaptively- 
secure encryption with “short” keys is impossible [21] unless some form of 
key-evolving techniques (such as those used in forward-secure encryption 
schemes) are used. 

It is hoped that the above results represent just the “tip of the iceberg” and 
that further applications of BTE will be developed. 

1.2 Outline 

The remainder of the paper is organized as follows. In Section 2, we give a formal 
definition of binary tree encryption as well as the corresponding definition of 
security. In Section 3, we state the known results regarding constructions of 
BTE. The applications of BTE, as highlighted above, are discussed in Section 4. 
The treatment given here is at a relatively high level; the interested reader is 
referred to the original papers [7, 8, 9] for additional information. 

2 Definitions 

Definitions related to identity-based encryption [5] and hierarchical identity- 
based encryption [14] are given elsewhere; for the purposes of understanding the 
definition of binary tree encryption, the informal descriptions provided in the 
Introduction should suffice. We thus begin with a formal definition of binary 
tree encryption (BTE), taken from [7]: 

Definition 1. A (public-key) binary tree encryption (BTE) scheme is a )-tuple 
of PPT algorithms (Gen, Der, Enc, Dec) such that: 

— The key generation algorithm Gen takes as input a security parameter l k 
and a value I for the depth of the tree. It returns a master public key PK 
and an initial (root) secret key SK e . (We assume that the values of k and i 
are implicit in PK and all node secret keys.) 

— The key derivation algorithm Der takes as input PK , the name of a node 
w G {0, l} <e , and its secret key SK W . It returns secret keys SK w q , SK W \ for 
the two children ofw. 

— The encryption algorithm Enc takes as input PK , the name of a node w G 
{0, 1}-^, and a message M . It returns a ciphertext C . 

— The decryption algorithm Dec takes as input PK , the name of a node w G 
{0, l}~ e , its secret key SK W , and a ciphertext C. It returns a message M . 

2 Interestingly, it is shown in [7] how to construct an NIZK proof system based on the 
same number-theoretic assumption used for the forward-secure encryption scheme. 



Binary Tree Encryption: Constructions and Applications 



5 



For correctness, we require that for any (PK, SK e ) output by Ger\(l k ,£), any 
node w £ {0, 1}-^ and secret key SK W correctly generated for this node, and any 
message M, we have M = Dec(PK,w,SI\ w ,Er\c(PK,w,M)). 

The security notion for BTE is largely similar to the security notion for HIBE, 
with the key difference being that the present definition requires the attacker to 
commit to the node to be attacked (i.e., the “target node”) in advance , before 
seeing the public key and before asking any key exposure queries. This type 
of attack is called a selective-node (SN) attack. While the resulting definition 
is weaker than a definition which allows the adversary to adaptively select the 
target node, we stress again that this “weaker” definition suffices for all the 
applications mentioned herein. Furthermore, it is (in part) this weakening of the 
definition which allows for a construction of BTE in the standard model. 

Definition 2. A BTE scheme is secure against selective-node, chosen-plaintext 
attacks /SN-CPA/ if for all polynomially-bounded functions £(■) , the advantage of 
any PPT adversary A in the following game is negligible in the security parameter: 

1. A(l k ,£(k)) outputs a name w* £ {0, 1}-W of a node. 

2. Algorithm Gen(l fe ,£(fc)) outputs (PK, SK e ) . In addition, algorithm Der(- • •) 
is run to generate the secret keys of all the nodes on the path from the root 
to w* (we denote this path by P ), and also the secret keys for the two children 
of w* (if \w* | < £). 

3. The adversary is given PK and also the secret keys {SK W } for all nodes w 
of the following form: 

- w = w'b, where w'b is a prefix of w* and b £ {0, 1} (i.e., w is a sibling of 
some node in P); 

- w = w*0 or w = w* 1 (i.e., w is a child of w* ; this is only when |w;*| < £). 

( Note that this allows the adversary to compute SK w i for any node w' £ 
{0, that is not a prefix of w* .) 

4- The adversary generates a request challenge(Mo, M\). A random bit b is se- 
lected and the adversary is given C* = Enc (PK,w*,Mf). 

At the end of the game the adversary outputs b' £ {0, 1}; it succeeds ifb ’ = b. The 
adversary’s advantage is the absolute value of the difference between its success 
probability and 1/2. 

Security against chosen-ciphertext attacks (denoted SN-CCA) is defined as the 
obvious extension of the above; see [7] for details. 

3 Constructions of Secure BTE Schemes 

We limit ourselves to listing the known results regarding constructions of secure 
BTE schemes, and to a tabulation of their complexity (as a function of the 
tree depth); the reader is referred to [7] for further details. All constructions 



6 



Jonathan Katz 



mentioned below (indeed, all known constructions of BTE) rely on variants of 
the so-called Bilinear Diffie- Heilman (BDH) assumption. This assumption was 
first formally defined by Boneh and Franklin [5], motivated by earlier work of 
Joux [18] and Joux and Nguyen [19]. 

One of the main results of [7] is the following: 

Theorem 1. Assuming the decisional BDH assumption, there exists a BTE 
scheme secure in the sense of SN-CPA. 

It is easy to modify the construction so that it relies only on the (possibly 
weaker) computational BDH assumption (this may be done by using a hard- 
core predicate of the computational BDH problem, and encrypting bit-by-bit). 
However, this modification comes at the expense of a significant loss of efficiency. 

Two generic techniques for achieving chosen-ciphertext security for an arbi- 
trary BTE scheme have been proposed. The first [7] relies on non-malleable non- 
interactive zero-knowledge (NIZK) proofs, adapting an approach due to Naor 
and Yung [20] and Sahai [22] in the context of making “standard” public-key en- 
cryption schemes secure against chosen-ciphertext attacks. Interestingly, in the 
process of developing this solution it is also shown how non-malleable NIZK may 
be based on any publicly-verifiable trapdoor predicate (this notion, introduced 
by [11, 7] , generalizes the notion of trapdoor permutations) , and furthermore how 
the decisional BDH assumption naturally gives rise to such predicates. Putting 
this together gives the following result: 

Theorem 2. Assuming the decisional BDH assumption, there exists a BTE 
scheme secure in the sense of SN-CCA. 

Because the above relies on NIZK proofs of generic NP statements, it should 
properly be regarded as a feasibility result rather than as a method for construct- 
ing efficient schemes. Recently [8], a more efficient method for achieving chosen- 
ciphertext security for an arbitrary BTE scheme was proposed; this method (in 
particular) avoids any zero-knowledge proofs and instead relies on one-time sig- 
nature schemes (which may be constructed from any BTE scheme). This gives 
an alternate proof of the above theorem, via a more practical construction. 

The above results all hold in the standard model. If one is willing to as- 
sume the random oracle model, improved efficiency can be achieved. For one, it 
should be clear that any HIBE scheme which is secure for a non-adaptive choice 
of the target identity is also a BTE scheme; thus, the construction of [14] may be 
used. One way to view this is as simply replacing the poly(fc)-wise independent 
hash function in the construction of [7] by a random oracle (which, of course, 
is also a poly(fc)-wise independent hash function). This leads to improved effi- 
ciency since a poly(fc)-wise independent hash function is (relatively) expensive 
to generate and evaluate — in particular, requiring time 0(poly(fc)) — while for 
a random oracle these operations are all assumed to take time 0(1). Further- 
more, essentially the same scheme (with but one additional call to the random 
oracle) may be based on the (possibly weaker) computational BDH assumption 
rather than the decisional BDH assumption. Finally, improved efficiency is also 



Binary Tree Encryption: Constructions and Applications 



7 



Table 1 . Summary of dependencies on the depth of the tree i 





Standard model 


Random oracle model 


Master key generation time 


0(1) 


0(1) 


Encryption/decryption time 


0(1) 


0(1) 


Key derivation time 


0(1) 


0(1) 


Ciphertext length 


0(1) 


0(1) 


Public key size 


0(1) 


0(1) 


Secret key size 


0(1) 


0(1) 



possible for BTE schemes achieving chosen-ciphertext security. See [7] for further 
details. 

For completeness, the asymptotic efficiencies of the two constructions secure 
in the sense of SN-CPA (i.e., in the standard model and in the random oracle 
model) are given in Table 1. 

4 Applications of BTE 

We briefly summarize the known applications of BTE. 

4.1 Forward Secure Encryption 

Cryptographic computations are often carried out on insecure devices for which 
the threat of key exposure represents a serious and realistic concern. In an ef- 
fort to mitigate the damage caused by exposure of secret keys stored on such 
devices, the paradigm of forward security was introduced [1, 4]. In a forward- 
secure scheme, the secret key is updated at regular periods of time (say, at the 
end of every day), while the public key remains fixed; such schemes guarantee 
that exposure of the secret key corresponding to a given time period does not 
enable an adversary to “break” the scheme (in the appropriate sense) for any 
prior time period. 

Although a number of forward-secure signature and identification schemes 
(beginning with [1, 4]) have been proposed, designing a forward-secure (public- 
key) encryption scheme seemed elusive. As outlined in [7], however, BTE schemes 
can be used to solve this problem, and to give efficient constructions of forward- 
secure encryption schemes. The basic idea is as follows: let N be the total number 
of time periods 3 for which the system will operate. Each of these time periods 
is associated with a node in a binary tree of depth [log N~\ in the following way: 
the i th time period will be associated with the i th node of the tree according to 
a pre-order traversal, We denote this node by (i). 

The secret key at period i will consist of: (1) the secret key for node (i) in the 
underlying BTE scheme; and also (2) the secret keys (in the underlying BTE 
scheme) for all right-children of the path from the root of the tree to ( i }. To 

3 We assume for simplicity that N is fixed in advance; in fact, an unbounded number 
of time periods can be supported [7]. 



Jonathan Katz 



encrypt a message during period i, a sender simply encrypts it for the node (i) 
(again, using the underlying BTE scheme); note that decryption is possible since 
the secret key at period i includes, in particular, the secret key for node (i). It 
should be noted also that key updates can be done by erasing the secret key 
for node (i) and using the additional secret keys (i.e., those keys belonging to 
right-children of the path from the root to (i)) to derive the necessary keys for 
the next time period. Details are given in [7], where the following is also proven: 

Theorem 3. (Informal:) Given any BTE scheme secure in the sense of SN- 
CPA. the above construction yields a forward- secure encryption scheme. 

Since the above construction requires a binary tree of depth log N to support N 
time periods, the scheme itself has all parameters at most poly-logarithmic in the 
number of time periods (cf. Table 1). In fact, additional improvements are possi- 
ble. These improvements and various extensions of the above theorem, omitted 
here for lack of space, are given in [7]. 

4.2 (Hierarchical) Identity-Based Encryption 

It was noted earlier that any HIBE scheme is also trivially a BTE scheme, 
without any modification. Interestingly, one can also show that a BTE scheme 
is powerful enough to construct a full-fledged HIBE scheme [7] (or, as a special 
case, an identity-based scheme), albeit under a slightly weaker definition which 
requires a non-adaptive choice of the target identity. We sketch the construction 
here. An HIBE of depth t is constructed using a BTE of depth k ■ t, where k is 
the security parameter. Identities are hashed to strings of length at most k ■ t 
by applying a collision-resistant hash function H to the identities at each level; 
thus, the identity (*di|| • • ■ \\idf) is mapped to the string H{id\)\\ ■ ■ ■ || H(idi). It 
is not hard to show that this gives a secure HIBE, under the relaxed definition 
of security given above. In fact, because the target identity must be chosen in 
advance, it is enough for H to be a universal one-way hash function (whose 
existence is implied by any BTE scheme); thus, we have: 

Theorem 4. Assuming the existence of a BTE scheme secure in the sense of 
SN-CPA, there exists an HIBE scheme of arbitrary polynomial depth secure under 
a non-adaptive choice of target identity. 

4.3 Chosen-Ciphertext Security 

Recently, an interesting connection between identity-based encryption and se- 
curity against chosen-ciphertext attacks (for “standard” public-key encryption 
schemes) has been shown [8]. In particular, it was shown how any identity- 
based encryption scheme can be used to give a simple and efficient construction 
of a regular encryption scheme secure against chosen-ciphertext attacks (i.e., 
a “CCA-secure” encryption scheme). The resulting construction avoids the use 
of any generic NIZK proofs, and furthermore seems not to follow the paradigm of 
all previously-known constructions of CCA-secure encryption schemes (cf. [12]). 



Binary Tree Encryption: Constructions and Applications 



9 



We describe the construction of a CCA-secure standard encryption scheme 
now: The public key of the scheme will be the master public key PK of the 
identity-based scheme, while the secret key SK is the corresponding master 
secret key. To encrypt a message m, the sender generates verification/signature 
keys (v k, sk ) for any one-time signature scheme, and encrypts m for “identity” 
vk (using the underlying identity-based scheme). The sender signs the resulting 
ciphertext C to obtain a signature <r, and sends (vk, C, a) to the receiver. 

The receiver first verifies that a is a correct signature on C with respect to vk ; 
if not, the ciphertext is rejected. Otherwise, the receiver uses the master secret 
key SK to generate a decryption key SK v k corresponding to the “identity” vk. 
Notice that it can then decrypt C using SK V ]~. 

The following is proven in [8]: 

Theorem 5. (Informal:) Given any identity-based, encryption scheme secure 
under a non-adaptive choice of target identity, the above construction yields 
a CCA-secure encryption scheme. 

Note that the identity-based scheme need only be secure against a non-adaptive 
choice of target identity; combined with Theorems 1 and 4, this results in a new 
construction of a CCA-secure encryption scheme in the standard model. 

It has already been noted above that a similar technique may be used to 
construct a BTE scheme secure against chosen-ciphertext attacks, starting with 
any BTE scheme secure in the sense of SN-CPA. Because this gives a slightly 
stronger result than that of Theorem 2, we state it here for completeness: 

Theorem 6. Assuming the existence of a BTE scheme secure in the sense of 
SN-CPA, there exists a BTE scheme secure in the sense of SN-CCA. 

See [8] for further details. 



4.4 Adaptively- Secure Encryption 

Standard definitions of secure encryption do not guarantee security in the case of 
adaptive corruptions. In a setting where such adaptive corruptions are possible, 
the encryption scheme should provide the additional guarantee that the infor- 
mation gathered by an adversary when corrupting parties (and, in particular, 
learning their secret keys) does not give it any additional advantage toward com- 
promising the security of the uncorrupted parties. Very roughly speaking, this 
requirement may be captured by the existence of a simulator that can generate 
“dummy” ciphertexts which it can later “open” (by revealing an appropriate 
secret key) to any given message. (Of course, this must be done in such a way 
that the revealed secret key “matches” the fixed public key.) Schemes achieving 
this notion of security are termed adaptively secure. We do not further motivate 
or describe the definition, but instead refer the reader elsewhere [2, 6, 21, 15, 9] 
for additional discussion. 

Nielsen has shown [21] that non-interactive adaptively-secure encryption (in 
the standard model) is “impossible” unless the secret key is as long as the 



10 



Jonathan Katz 



length of all plaintext messages that are sent. In particular, this implies that no 
adaptively-secure scheme supporting an a priori unbounded number of messages 
is possible. This result is in stark contrast to the case for encryption schemes 
which are not adaptively secure. 

It is possible to circumvent Nielsen’s impossibility result, however, by con- 
sidering key-evolving cryptosystems; i.e. , those in which the secret key evolves 
over time. This suggests using forward-secure encryption as a building block to- 
ward building adaptively-secure schemes. (Note that a forward-secure encryption 
scheme, by itself, is not necessarily adaptively secure.) In fact, a construction of 
an adaptively-secure encryption scheme based on any forward-secure encryption 
scheme has recently been given [9]: 

Theorem 7. (Informal:) Assuming the existence of a forward-secure encryp- 
tion scheme and an NIZK proof system for NP, there exists a non-interactive 
adaptively-secure encryption scheme for an unbounded number of messages. 

Since both a forward-secure encryption scheme as well as NIZK proofs may be 
based on the BDH assumption (cf. [7]), the BDH assumption suffices to imply 
the result of the theorem. 

More efficient constructions of adaptively-secure encryption, which avoid 
NIZK proofs altogether (but which in some cases require additional number 
theoretic assumptions), are also given in [9]. 



Acknowledgements 

It was great fun to collaborate with Ran Canetti and Shai Halevi on the all work 
described herein. I would also like to thank the program chairs for ICISC 2003 
(Jong In Lim and Dong Hoon Lee) for inviting me to present this survey, and 
for a very enjoyable visit to Korea. 

References 

[1] R. Anderson. Two Remarks on Public Key Cryptology. Invited Lecture, fth 
ACM Conference on Computer and Communications Security, 1997. Available 
at http://www.cl.cam.ac.uk/ftp/users/rjal4/forwardsecure.pdf. 7 

[2] D. Beaver and S. Haber. Cryptographic Protocols Secure Against Dynamic Ad- 
versaries. Adv. in Cryptology — Eurocrypt 1992, LNCS vol. 658, Springer- Verlag, 
pp. 307-323, 1992. 9 

[3] M. Bellare, A. Desai, D. Pointcheval, and P. Rogaway. Relations Among Notions 
of Security for Public-Key Encryption Schemes. Adv. in Cryptology — Crypto 
1998, LNCS vol. 1462, Springer- Verlag, pp. 26-45, 1998. 3 

[4] M. Bellare and S. Miner. A Forward-Secure Digital Signature Scheme. Adv. in 
Cryptology — Crypto 1997, LNCS vol. 1666, Springer- Verlag, pp. 75-89, 1997. 7 

[5] D. Boneh and M. Franklin. Identity-Based Encryption from the Weil Pairing. 
Adv. in Cryptology — Crypto 2001, LNCS vol. 2139, Springer- Verlag, pp. 213- 
229, 2001. Full version to appear in SIAM J. Computing and available at 
http://eprint.iacr.org/2001/090. 2, 3, 4, 6 



Binary Tree Encryption: Constructions and Applications 



11 



[6] R. Canetti, U. Feige, O. Goldreich, and M. Naor. Adaptively Secure Multi-Party 
Computation. 28th ACM Symposium on Theory of Computing (STOC), ACM, 
pp. 639-648, 1996. 9 

[7] R. Canetti, S. Halevi, and J. Katz. A Forward-Secure Public-Key Encryption 
Scheme. Adv. in Cryptology — Eurocrypt 2003, LNCS vol. 2656, Springer- Verlag, 
pp. 255-271, 2003. Full version available at http://eprint.iacr.org/2003/083. 
2, 3, 4, 5, 6, 7, 8, 10 

[8] R. Canetti, S. Halevi, and J. Katz. Chosen-Ciphertext Security from Identity- 
Based Encryption. Available at http://eprint.iacr.org/2003/182. 3, 4, 6, 8, 
9 

[9] R. Canetti, S. Halevi, and J. Katz. Flash Encryption: Adaptive and Forward 
Security with Short Keys. Manuscript, November 2003. 4, 9, 10 

[10] C. Cocks. An Identity-Based Encryption Scheme Based on Quadratic Residues. 
Cryptography and Coding, LNCS vol. 2260, Springer- Verlag, pp. 360-363, 2001. 
2 

[11] Y. Dodis, J. Katz, S. Xu, and M. Yung. Strong Key-Insulated Signature Schemes. 
PKC 2003, LNCS vol. 2567, pp. 130-144, Springer- Verlag, 2003. 2, 6 

[12] E. Elkin and A. Sahai. A Unified Methodology For Constructing Public- 
Key Encryption Schemes Secure Against Adaptive Chosen- Ciphertext At- 
tack. To appear, 1st Theory of Cryptography Conference, 2004. Available at 
http://eprint.iacr.org/2002/042. 3, 8 

[13] A. Fiat and A. Shamir. How to Prove Yourself: Practical Solutions to Identification 
and Signature Problems. Adv. in Cryptology — Crypto 1986, LNCS vol. 263, 
Springer- Verlag, pp. 186-194, 1986. 1 

[14] C. Gentry and A. Silverberg. Hierarchical Identity-Based Cryptography. Adv. in 
Cryptology — Asiacrypt 2002, LNCS vol. 2501, Springer- Verlag, pp. 548-566, 

2002. 2, 3, 4, 6 

[15] O. Goldreich. Draft of a Chapter on Cryptographic Protocols. Manuscript, June 

2003. Available at http://www.wisdom.weizmann.ac.il/~oded/foc-vol2.html 
9 

[16] L. Guillou and J.-J. Quisquater. A “Paradoxical” Identity-Based Signature 
Schemes Resulting from Zero-Knowledge. Adv. in Cryptology — Crypto 1988, 
LNCS vol. 403, Springer- Verlag, pp. 216-231, 1988. 1 

[17] J. Horwitz and B. Lynn. Toward Hierarchical Identity-Based Encryption. Adv. in 
Cryptology — Eurocrypt 2002, LNCS vol. 2332, Springer- Verlag, pp. 466-481, 
2002 . 2 

[18] A. Joux. A One-Round Protocol for Tri-Partite Diffie Heilman. Fourth Algorithmic 
Number Theory Symposium (ANTS), LNCS vol. 1838, Springer- Verlag, pp. 385- 
394, 2000. 6 

[19] A. Joux and K. Nguyen. Separating Decision Diffie-Hellman from Diffie- 

Hellman in Cryptographic Groups. Manuscript, January 2001. Available at 
http: //eprint . iacr . org/2001/003/. 6 

[20] M. Naor and M. Yung. Public Key Cryptosystems Provably Secure Against 
Chosen-Ciphertext Attacks. 22nd ACM Symposium on Theory of Computing 
(STOC), ACM, pp. 427-437, 1990. 6 

[21] J. B. Nielsen. Separating Random Oracle Proofs from Complexity-Theoretic 
Proofs: The Non-Committing Encryption Case. Adv. in Cryptology — Crypto 
2002, LNCS vol. 2442, Springer- Verlag, pp. Ill 126, 2002. 4, 9 

[22] A. Sahai. Non-malleable Non-Interactive Zero- Knowledge and Adaptive Chosen- 
Ciphertext Security. 40th IEEE Symposium on Foundations of Computer Science 
(FOCS), IEEE, pp. 543-553, 1999. 6 

[23] A. Shamir. Identity-Based Cryptosystems and Signature Schemes. Adv. in Cryp- 
tology — Crypto 1984, LNCS vol. 196, Springer- Verlag, pp. 47-53, 1984. 1 



A Separable Threshold Ring Signature Scheme 



Joseph K. Liu 1 , Victor K. Wei 1 , and Duncan S. Wong 2 * 

1 Department of Information Engineering 
The Chinese University of Hong Kong 
Shatin, Hong Kong 
{ksliu9 ,kwwei}@ie . cuhk. edu.hk 
2 Department of Computer Science 
City University of Hong Kong 
Kowloon, Hong Kong 
duncan@cityu . edu . hk 



Abstract. We present a threshold ring signature scheme (spontaneous 
anonymous threshold signature scheme) that allows the use of both RSA- 
based and DL-based public keys at the same time. More generally, the 
scheme supports the mixture of public keys for any trapdoor-one-way 
type as well as three-move type signature schemes. This kind of ‘sepa- 
rability’ has useful applications in practice as a threshold ring signature 
is no longer limited to support only one particular type of public keys, 
as required by all the previous schemes. In the paper, we also show that 
the signature maintains the anonymity of participating signers uncondi- 
tionally and is existential unforgeable against chosen message attacks in 
the random oracle model. 



1 Introduction 

Let us consider the following scenario. Suppose there are n users in a public- key 
system in which each of them has a public key pair for digital signature. Their 
public keys are generated independently without any coordination with others 
and therefore their keys may correspond to different security parameters. In 
addition, it is very likely that the keys are for entirely different signature schemes. 
For example, user 1 may have a key pair for 2048-bit RSA signature scheme [17], 
user 2 may have one for 1024-bit Digital Signature Algorithm [12], user 3 may 
have one for 163-bit ECDSA (Elliptic Curve Digital Signature Algorithm) [9], 
while user 4 may prefer to use one for 1024-bit Schnorr signature scheme [18]. 
Other users may pick key pairs for their favorable signature schemes other than 
the previous ones. Under this system setup, t users spontaneously form a group 
of n possible signers by arbitrarily choose n users including themselves, where 
n > t, and generate a signature for some message such that (1) any public 
verifier (who has all the n public keys) can tell if the signature is valid ( public 
verifiability)', (2) can identify who the t actual signers are even when all the 

* A part of this work was supported by a grant from CityU(Project No. 7200005). 



J.I. Lim and D.H. Lee (Eds.): ICISC 2003, LNCS 2971, pp. 12-26, 2004. 
(c) Springer- Verlag Berlin Heidelberg 2004 



A Separable Threshold Ring Signature Scheme 



13 



private keys of the n possible signers in the group are known ( anonymity , signer- 
ambiguity) ; and (3) knowing only t — 1 private keys of the signing group is not 
enough for forging such a signature ( unforgeability , robustness). In this paper, 
we focus on solving the problem and we call the scheme a separable threshold 
ring signature scheme or spontaneous anonymous threshold signature scheme. 

The notion of ring signature was first formalized by R.ivest et al. in [16]. 
A ring signature scheme allows a signer to spontaneously form a group of sign- 
ers including himself and generate a signature such that any public verifier can 
tell if the signature is valid while cannot determine the actual authorship of 
the signature. In addition, the formation of a signing group does not require 
any coordination of group membership or any TTP (Trusted Third Party), and 
therefore can be formed by the actual signer without getting any consent from 
other diversion group members — spontaneity. The concept of spontaneity was 
absent from most previous results on threshold cryptography and threshold sig- 
nature schemes [7]. The signing group is formed with the intervention of the 
group manager and may also require coordination among group members. Also 
the group manager who always knows who the the actual signer is. In the ring 
signature, the absence of a group manager provides anonymity to the actual 
signer both inside and outside the signing group. 

A (t, n)-threshold ring signature [3] has the similar notion to the ring sig- 
nature. First, a (t, n)-threshold ring signature scheme requires at least t signers 
to work jointly for generating a signature. Second, the anonymity of signers is 
preserved both inside and outside the signing group. Third, those t participating 
signers can choose any set of n entities including themselves without getting any 
consent from those diversion group members. 

(Separability) An application is said to be separable if all participants can choose 
their keys independently with different parameter domains and for different types 
of signature schemes. The term separability was originated from [10] and was 
diversified in [5]. There exists weaker forms of separability. Partial separability 
allows only a subset of the participants to choose their keys independently and 
weak separability requires all participants to use common system parameters. [?] 
provides perfect separability, [10] provides partial separability and [5] provides 
weak separability. However, all of these schemes are group signature schemes 
and there is no corresponding variant of threshold ring signature schemes. 

There is another scenario: when all participants in an application choose 
their keys independently but requiring that all the keys are for one single type 
of signature schemes. For example, all keys have to be for a RSA-based signature 
scheme but they may have different key sizes. We say that the application has 
type-restricted separability. 



1.1 Our Contributions 

We present a (t, n)-threshold ring signature scheme (spontaneous threshold sig- 
nature scheme) that enjoys separability. In each signature, the public keys indi- 
cated can be for any trapdoor-one-way type and any three-move type signature 



14 



Joseph K. Liu et al. 



schemes. When compared with [3, 20], our scheme runs more efficiently and of- 
fers a smaller signature size in the general case. When compared with [4, 20], 
our scheme eliminates the need of an ideal cipher and costly domain adjustment. 
The assumption of the existence of an ideal cipher is stronger than the assump- 
tion of having random oracles. Our scheme is proven to be secure in the random 
oracle model [2]. 

The remaining of the paper is organized as follows. In Sec. 2, several ring 
signature schemes and threshold ring signature schemes are reviewed. This is fol- 
lowed by the formal definition of a secure (t, n)-thresholcl ring signature scheme 
in Sec. 3. Then we exemplify our scheme using some concrete setup and analyze 
its security in Sec. 4 and Sec. 5, respectively. In Sec. 6, the generic version of our 
separable threshold ring signature scheme is presented. We conclude the paper 
in Sec. 7. 



2 Related Work 

The notion of ring signature was first formalized by Rivest et al. in [16]. They 
also proposed an efficient ring signature scheme which support public keys for 
trapdoor one-way functions. Several other ring signature schemes were later pro- 
posed [3, 21, 1, 20]. Among these schemes, [1] supports the use of various flavors 
of public keys at the same time in one single ring signature. Their scheme allows 
the mixture of public keys for trapdoor one-way function based signature schemes 
(also known as trapdoor-one-way type signature schemes) and three-move type 
signature schemes such as Fiat-Shamir signature scheme [ ] and Schnorr signa- 
ture scheme [18]. 



2.1 Witness Indistinguishable Signature (WIS) [6] 

Although ring signature was first formalized in 2001 by Rivest, et al. [16], similar 
concept was actually raised earlier. In 1994, Cramer et al. [6] proposed a proof of 
knowledge protocol which consists of the properties of a threshold ring signature 
scheme at large. Their protocol lets a prover show that he knows solutions of 
at least t out of n problem instances without revealing which t instances are 
involved. Our (t, n)-threshold ring signature scheme follows its concept in the 
sense that the t participating signers show that they know at least t private keys 
corresponding to n public keys without leaking which ones they really are. 

The protocol proposed in [6] requires two mechanisms with certain security 
properties. The first mechanism is a proof of knowledge protocol taken between 
a prover and a verifier. For simplicity, it is assumed to be a three round public 
coin protocol where the prover speaks first. The three messages are denoted 
as m\ c and m" where c is referred to as a challenge generated by the verifier 
and m" is the prover’s final message which is referred to as the answer. By 
running this protocol, the prover tries to convince the verifier that he knows 
the solution (the witness), denoted by w, of a publicly known problem instance, 
denoted by x. One important property of the proof of knowledge protocol is 



A Separable Threshold Ring Signature Scheme 



15 



called honest verifier zero-knowledge. This property allows anyone on input x 
simulates the conversation (m! , c, m") in the way that it is indistinguishable from 
a real conversation between an honest prover and an honest verifier. 

The second mechanism is a secret sharing scheme. The scheme distributes 
a secret s among n participants. Each participant has one share. The shares are 
computed in such a way that knowing t (where t < n) shares can reconstruct s. 
One important property of the scheme is that given s and shares of any n — t 
participants, the shares of the remaining t participants can be reconstructed. 

Let P and V be the prover and verifier, respectively. The description below 
shows the major steps of the protocol of [6]. It allows P to show V that he 
knows solutions of t out of n question instances, denoted by xi, ■ ■ ■ , x n , without 
revealing which t instances are involved. Let A be the set of t question instances 
whose solutions are known to P. Let A be the set of the other n — t question 
instances whose solutions are not known to P. 

1. For each i £ A, as P does not know the solution Wi to question instance Xi, 
he simulates a conversation (m',Ci,m"). For each i £ A, P determines rn' 
as what an honest prover would send as the first message in the proof of 
knowledge protocol for the question instance Xj. P sends m' lt • • • , m' n to V. 

2. V randomly picks a binary string with appropriate length and denotes it 
as s, the secret. V sends s to P. 

3. Due to the important property of the secret sharing scheme described 
above, P considers s as the secret and Cj for * £ A as the n — t shares, and 
reconstructs the remaining t shares. These t shares are set to Cj for i € A. 
In Step 1, m " has produced for each i £ A. For each i £ A, P knows the 
witness Wi for Xi , and can therefore find a valid m " for m\ and c* by running 
the proof of knowledge protocol for common input Xi while behaving exactly 
like an honest prover. P sends the set of messages Cj, m", for 1 < * < n, to V. 

4. V verifies whether all conversations (m(, Cj, m"), for 1 < i < n, lead to accep- 
tance by honest verifiers in the corresponding proof of knowledge protocols. 
In addition, V checks if all the n shares are consistent with the secret s. He 
accepts if all these checkings are satisfied. 

It is also remarked in [6] that this protocol can be extended to an non- 
interactive forum (signature) by computing the challenge as a hash value of the 
message to be signed and the prover’s first message. 

In [1], Abe et al. presented an instantiation of [6] which is a ring signature 
scheme. In [4], Bresson et al. presented a threshold ring signature instantiation 
of [6]. In [3] , Bresson et al. proposed another threshold ring signature scheme with 
a different construction from [6]. It uses the concept of partitioning. In [20], Wong 
et al. proposed a threshold ring signature scheme using tandem construction 
method which can be considered as an extension of the ring signature scheme 
proposed by R.ivest et al. [.6]. It runs efficiently when t is near 1 or n. All of 
them support the use of public keys for only trapdoor one-way type signature 
schemes. They do not support public keys for three-move type signature schemes 
or the mixture of these two types of signature schemes. In other words, none of 
the current threshold ring signature schemes is separable. 



16 



Joseph K. Liu et al. 



In this paper, we propose a separable threshold ring signature scheme. In the 
following, we first specify the security requirements of a secure threshold ring 
signature scheme. 



3 Security Model 

Let k £ N be a security parameter and m £ {0, 1}* be a message. 

Definition 1 (Threshold Ring Signature Scheme). A (t , n) -threshold ring 
signature scheme is a triple ( Q , St, n , Vt,n) where 

— ( s,P ) <— G(l k ) is a probabilistic polynomial time algorithm (PPT) which 
takes as input a security parameter k, produces a private key s and a public 
key P. 

— a <— S, L, m) is a PPT which accepts as inputs a security parame- 

ter k, a set of private keys S , a set of public keys L including the ones that 
correspond to the private keys in S and a message m, produces a signature 
a. We require that |5| = t and \L\ = n where 0 < t < n. 

— 1/0 <— Vt jra (l fc , L, m, a) is a polynomial-time algorithm which accepts as in- 

puts a security parameter k, a set of n public keys L, a message m and 
a signature a, returns 1 or 0 for accept or reject, respectively. We require 
that Vt, n (l fe , L, 77i, tS’t,n(l fe , S, L, ro)) = 1 for any message m and any set S 
oft private keys in which each key is generated by and any set L of n 

public keys in which the public keys corresponding to all the private keys of 
S are included. 

For simplicity, we usually omit the input of security parameter when using St, n 
and Vt, n in the rest of the paper. 

L may include public keys based on different security parameters. The se- 
curity of the signature scheme defined above is set to the smallest one among 
them. Q may also be extended to take the description of key types. 

The security of a (t, n)-threshold ring signature scheme consists of two re- 
quirements, namely Signer Ambiguity and Unforgeability. They are defined as 
follows. 

Definition 2 (Signer Ambiguity). Let L = {Pi,---,P n } where each key 
is generated as ( Si,Pi ) <— G( l fei ) for some ki £ N. Let k = min(fci, • ■ • , k n ). 
A (t,n) -threshold ring signature scheme is unconditionally signer ambiguous 
if for any L, any message m, and any signature a <— St,n(S,L,m) where 
S C {sr , • • • , s ra } and | = t, any unbound adversary E accepts as inputs L, m 
and a, outputs i r such that s v £ S with probability t/n. 

It means that even all the private keys are known, it remains uncertain that 
which t signers out of n possible signers actually work jointly to generate a (t, n)- 
threshold ring signature. 



A Separable Threshold Ring Signature Scheme 



17 



Definition 3 (Unforgeability). Let L = {Pi, ■ ■ ■ , P n } be the set of n public 
keys in which each key is generated as ( Si,Pi ) <— Q{ l ki ) where ki £ N. Let 
k = min(fci, ■ ■ ■ , k n ). Let SO{L' , i\, ■ ■ ■ , if, m) be a signing oracle that takes 
any set L' of public keys, where L' C L and n' = \L'\, any t! signers indexed 
by ii,---,i t ’ where 1 < ij < n, 1 < j < t' and t' < n' , and any message m, 
produces a (t 1 ,n') -threshold ring signature a <— Sf ■ ■ ■ , §i t ,} , L' ,m) such 

that Vt',n'(L', m, cr) = 1. Let St- i be any set oft— 1 private keys corresponding 
to the public keys in L. A (t,n) -threshold ring signature scheme is unforgeable 
if, for any PPT A with signing oracle SO, for any L, and for all sufficiently 
large k, 

Pr[^4‘ so (l fe , L, St-i) — > (m,er) : 1 <- V t , n (L,m,a)\ < e(k) 

where e is some negligible function. Restriction is that ( L , i\, ■ ■ ■ , i t , m, a) should 
not be found in the set of all oracle queries and replies between A and SO for 
any 1 < ij < n, 1 < j < t. The probability is taken over all the possible inputs 
of A, oracle queries and coin flips of A. 

A real- valued function e is negligible if for every c > 0, there exists a k c > 0 such 
that e(k) < k~ c for all k > k c . 

We say that a ( t , n)-threshold ring signature scheme is secure if it satisfies 
the above requirements. 

4 The Separable Threshold Ring Signature Scheme 

Our scheme follows the concept of the three-round protocol in [6] (Sec. 2.1). In 
the following, we exemplify our separable threshold signature scheme by using 
a concrete setup which consists of the mixture of public keys for all RSA-based 
and DL-based signature schemes. In Sec. 6, we generalize it to support the mix- 
ture of public keys for any trapdoor one-way type and three-move type signature 
schemes. 

4.1 Concrete Setup: All RSA-based and DL-based Public Keys 

For i = 1, • • • , n, if user i has a DL-based key pair, his public key is ( pt , qi,gt, yf) 
and private key is Xi £ where Pi,qt are prime, <?i|(pi — 1), gt £ of order qt 
and yi = gf’ mod pi . We assume that the discrete logarithm problem modulo pt 
is hard. If user i has a RSA-based key pair, then his public key is (e^, Nf and 
private key is di where Ni is a product of two equal-length prime numbers 
and etdi = 1 (mod 4>{Ni)). We assume that the underlying RSA inverting 
problem is hard. Let Hi : {0, 1}* — > Zjv* be some cryptographic hash function. 
Let L be the set of all public keys of the n users. 

Let p be twice the bit length of the largest qt and iVj, for 1 < i < n. Let 
G : {0,1}* — > {0,1} P be some cryptographic hash function. Without loss of 
generality, suppose user j, for 1 < j < t, are participating signers and user i, 
for t + 1 < i < n, are non-participating signers. To generate a (t, n)-threshold 
ring signature on a message m € {0, 1}*, the t participating signers carry out 
the following steps. 



18 



Joseph K. Liu et al. 



The Signing Algorithm. 

1. For i = t+ 1, ■■ ■ ,n, pick a Gr {0, 1} P and Si Gr Zx where X = or X = Ni 
if user i has a DL-based key pair or a RSA-based key pair, respectively. 
Compute 

_ J gl'yl' mod Pi if user i has a DL-based key pair 

1 \ Hi(d) + sf* mod Ni if user i has a RSA-based key pair 

2. For j = 1, • • ■ , i, pick rj Gr Zx and compute 

J g rp mod pi if user j has a DL-based key pair 
\ rj if user j has a RSA-based key pair 

3. Compute cq = G(L, t, m, z±, ■ ■ ■ , z n ) and construct a polynomial / over 
GF(2 P ) such that deg (/) = n—t, /( 0) = cq and f{i) = c,, for t+1 < i < n. 

4. For j = 1, • ■ ■ , t, compute Cj = f{j ) and 

J rj — CjXj mod qj if user j has a DL-based key pair 

J [ ( rj — Hj(cj)) dj mod Nj if user j has a RSA-based key pair 

5. Output the signature for m and L as a = (si, • • • , s ni /). 

The Verification Algorithm. A verifier checks a signature a = (si, • • • , s n , f) 
with a message m and a set of public keys L as follows. 

1. Check if deg (/) = n—t. If yes, proceed. Otherwise, reject. 

2. For i = 1, ■ • ■ , n, compute d = f(i) and 

, _ J gl'yl' mod pi if user i has a DL-based key pair 

1 \ Hi(d) + s®* mod Ni if user i has a RSA-based key pair 

? 

3. Check whether /( 0) = G(L, t,m, z[,- ■ ■ , z n ). If yes, accept. Otherwise, reject. 

It is not difficult to see that this concrete setup can be generalized easily 
to support the mixture of public keys for all trapdoor-one-way type and three- 
move type signature schemes at the same time in a signature. A generic scheme 
is given in Sec. 6. 

5 Security Analysis 

We first define the following two problems and assume that they are hard in our 
concrete setup described above. 

Discrete Logarithm Problem (DLP). Let p and q be prime, q\{p— 1), and |g| = k 
where k is a security parameter. Let g G Z* of order q. Given an element h G Z* 
chosen at random, find an integer x such that g x = h (mod p) . 



A Separable Threshold Ring Signature Scheme 



19 



RSA Problem (RSAP). Let n = pq where p and q are two equal-length primes. 
Let e be a number such that e and are co-prime. Given an element y £ Z„ 
chosen at random, find an integer x such that x e = y (mod n). 

Theorem 1. The scheme in Sec. 4-1 is unconditionally signer ambiguous if all 
hash functions behave like random oracles [2], 

Proof. The polynomial /, with degree n— t, is determined by ct+i, • • • , c n and cq. 
ct- |-i, • • ■ , c n are randomly generated and cq is the output of the random oracle G. 
Thus / can be considered as a function chosen randomly from the collection of 
all polynomials over GF(2 P ) with degree n—t. Then the distributions of Ci, ■ ■ ■ , Cj 
are also uniform over the underlying range. 

For i = t + 1, • • • , n, Sj are chosen independently and distributed uniformly 
over Z.y where X = qi or X = Ni if signer i has a DL-based key pair or a RSA- 
based key pair, respectively. For j = 1, • • • , t, rj are chosen independently and 
distributed uniformly over Zx- Since rj are independent of Cj and the private 
keys Xj (DL-based private key) or dj (RSA-based private key), Sj, 1 < j < t , 
are also uniformly distributed. 

In addition, for any fixed message m and fixed set of public keys L , we can 
see that (si, • ■ • , s n ) has exactly 



n v, 

l<i<n 



possible solutions. Since the distribution of these possible solutions are indepen- 
dent and uniformly distributed no matter which t participating signers are, an 
adversary, even has all the private keys and unbound computing resources, has 
no advantage in identifying any one of the participating signers over random 
guessing. □ 

In the following, we show the unforgeability (Def. 3) in the case when all 
public keys are for DL-based signature schemes. 

Lemma 1 . Let a forger E be a probabilistic polynomial time machine. For some 
message m £ {0,1}* and a set of n public keys L corresponding to n signers, 
suppose E on inputs the private keys of any t— 1 signers among the n sign- 
ers, queries a signing oracle SO (specified in Def. 3) and a random oracle G 
polynomial times, and outputs a forged signature a (i.e. 1 <— Vt,n(L,m,cr)), 
with non-negligible probability pe- Then DLP can be solved with non-negligible 
probability in polynomial time. 

Proof in Appendix A. 

We will need the following definitions. 

The RSA-Collision Problem: Given an RSA public key (n, e) and a hashing 
function FI, produce (ci, si) ^ ( 02 , S 2 ) satisfying 7J(ci) + sf = H(c 2 ) + S 2 mod n. 

Remark: Under the random oracle model, the RSA-Collision Problem is 
equivalent to the Additive RSA Problem from [10]: Given an RSA public key 



20 



Joseph K. Liu et al. 



(n,e) and a random number r, produce (si,S 2 ) satisfying sf — s| = r mod n. 
The proof of this equivalence is straightforward and omitted. 

Now we show the unforgeability (Def. 3) in the case that all public keys are 
for RSA-based signature schemes. 

Lemma 2. Let a forger A be a probabilistic polynomial time machine. For some 
message m and a set of n public keys L corresponding to n signers, suppose A on 
inputs the security parameter k, the private keys of any t—1 signers among the n 
signers, queries a signing oracle SO (specified in Def. 3) for qs times, random 
oracle G for qc times and random oracles {i?i}i<i< n for qn times combined, 
and outputs a forged signature a (i.e. 1 <— Vt, n (L,m, a)), with non-negligible 
probability p a- Then RSA-Collision can be solved with non-negligible probability 
in polynomial time. 

Proof in Appendix B. 

Combining the two lemmas above and some additional derivations, we show 
that our scheme in the case of having the mixture of keys for RSA-based and 
DL-based signature schemes is unforgeable. 

Theorem 2. For a PPT forger T which simulates both forgers specified in 
Lemma 1 and Lemma 2, suppose T on inputs the security parameter k, the pri- 
vate keys of any t — 1 signers among n signers, queries signing oracle SO for qs 
times, random oracles Hi, 1 < i < n for qn times and G for qa times, and 
outputs a forged signature a with non-negligible probability pjr. Then a PPT D 
can be constructed from T that solves DLP or RSA-Collision with non-negligible 
probability. 

Proof. The proof is straightforward by combining the machines B and A 1 to- 
gether and replacing the key pairs of other signers to the mixture of RSA-based 
and DL-based ones. □ 

6 The Generic Separable Threshold Ring Signature 
Scheme 

In Sec. 4, we exemplify our scheme with support to the mixture of public keys 
for all types of RSA-based and DL-based signature schemes in a signature. In 
this section, we generalize it by presenting our Generic Scheme. The scheme can 
produce a signature which includes the mixture of public keys for any trapdoor- 
one-way type and three-move type signature schemes. In the following, we first 
review these two types of signature schemes due to [1]. 

Trapdoor-One- Way Type Signature Scheme. Let F be a trapdoor one-way 
function family indexed by a public key P and A -1 be the family of its inverse 
functions indexed by the corresponding private key s. Let Domain be a func- 
tion which accepts as input a function and returns the domain of the function. 
We require that for any m £ Domain(.F), m = T ,_1 (s, F(P,m)). Assume that 



A Separable Threshold Ring Signature Scheme 



21 



computing F^ 1 is hard without knowing s. For short, we define Fp(-) = F(P, •) 
and F7 l (•) = F~ 1 (s, •). Examples of trapdoor one-way type signature schemes 
include RSA [17] signature scheme, Rabin’s function [15, 19], etc. A signing algo- 
rithm 6> H , which takes a message m and the private key s, produces a signature 
a by 

a = F7\H(m)) 

where F[ : {0,1}* — + A is some appropriate cryptographic hash function and A 
is the range of F. The verification algorithm V H , which takes a message m, the 
public key P, and a signature a, produces a boolean output, 1/0. It outputs 1 
if H(m) = Fp(a), otherwise, 0. 

Three-Move Type Signature Scheme. Three-move type signature schemes 
are derived from three-move honest verifier zero-knowledge proofs. Fiat-Shamir 
signature scheme [8] and Schnorr signature scheme [18] belong to this type. The 
signing algorithm <S T , which takes a message m and a private key .§, produces 
a signature a = (s, c). It consists of three polynomial-time functions: A, FI 
and Z . Function A generates the first-move commitment as z = A(s, r) where r 
is some random number. P : {0,1}* — > A is a hash function which generates 
a non- interactive challenge as c = P(m, z). The size of A is assumed to be in the 
same magnitude as that of the space of the public key pair (s, P). Z generates an 
answer s = Z(s,r,c). The verification algorithm V T , which takes a message m, 
a signature a = (s, c) and a public key P, produces a boolean output. It involves 
a function V such that if the signature a is valid and correct, then 

c = P(m, V(P, s, c)). 

6.1 The Generic Scheme 

Let L = {Pi,---,P„} be a set of n public keys corresponding to n possible 
signers. For i = 1, • • • , n, let a + b denote the group operation of Abelian group 
Ai and a — b be the group operation with inverse of 6, for all a,b £ Ai. Domain 
A, depends on Fp. (trapdoor-one- way type) or Pi (three-move type) . 

Let p be twice of the largest | A/, 1 < i < n. Let G : {0, 1}* — ► {0, 1} P be 
some hash function. Without loss of generality, assume user i, for t+l < i < n, 
are non-participating signers and user j, for 1 < j < t, are participating signers. 
To generate a (t, n)-threshold ring signature on a message m, the participating 
signers with their secret keys {si, • • • , s*} carry out the following steps. 

Signing Algorithm. 

1. For i = t+l, ■ • • , n, pick c, £p {0, 1} P and s* £r Ai. Compute 

J V(Pi, Si, 0i(ci)) if user i has a Three-move Type key pair 
1 \ 9i(ci) + Fp i (si) if user i has a Trapdoor One-Way Type key pair 

where 9i : {0, 1}* — > Ai is some hash function which maps to some appro- 
priate range. 



22 



Joseph K. Liu et al. 



2. For j = 1, • ■ ■ , t, pick rj Gr Aj and compute 

{ A(sj , rj ) if user j has a Three-Move Type public key pair 
Tj if user j has a Trapdoor One-Way Type key pair 

3. Compute cq = G(L,t,m, z±, - • ■ , z n ) and construct a polynomial / over 
GF(2 P ) such that deg(/) = n — t, /( 0) = Co and /(*) = c,; for i = t+ 1, ■ • ■ , n. 

4. For j = 1, • ■ ■ , t, compute Cj = f(j) and 

f Z(§j, rj , Oj(cj)) if user j has a Three-Move Type key pair 
— { F7 l (jj — 9j(cj)) if user j has a Trapdoor One-Way Type key pair 

where 0j : {0,1}* — > Aj is some hash function which maps to some appro- 
priate range. 

5. Output the signature for m and L as a = (si, • • • , s n , /). 

Verification Algorithm. A verifier checks a signature a = (si, • • • , s n , f) with 
a message m and a set of public keys L = {Pi, ■ ■ ■ , P„} as follows. 

1. Check if deg (/) = n—t. If yes, proceed. Otherwise, reject. 

2. For i = 1, ■ ■ • n, compute Cj = /(*) and 

, f V ( Pi , Si, 6i(ci)) if user i has a Three-move Type key pair 

1 \ 9i(ci) + Tp^Si) if user i has a Trapdoor One-way Type key pair 

? 

3. Check whether /( 0) = G(L, ■ , z' n ). If not, reject. Otherwise, accept. 

7 Conclusion 

In this paper, we describe a ( t , n)-threshold ring signature scheme which is per- 
fectly separable. A signature produced by this scheme can include an arbitrary 
mixture of public keys which are for various flavors of traditional signature 
schemes. A concrete scheme of supporting the mixture of RSA-based and DL- 
based public keys with various security parameters is also given. The scheme 
is shown to be signer ambiguous and existentially unforgeable against chosen 
message attacks under the random oracle model. 

References 

[1] M. Abe, M. Ohkubo, and K. Suzuki. 1-out-of-n signatures from a variety of keys. 
In Proc. ASIACRYPT 2002, pages 415-432. Springer- Verlag, 2002. Lecture Notes 
in Computer Science No. 2501. 14, 15, 20 
[2] M. Bellare and P. Rogaway. Random oracles are practical: A paradigm for de- 
signing efficient protocols. In Proc. 1st ACM Conference on Computer and Com- 
munications Security, pages 62-73. ACM Press, 1993. 14, 19 



A Separable Threshold Ring Signature Scheme 



23 



[3] E. Bresson, J. Stern, and M. Szydlo. Threshold ring signatures and applications 
to ad-hoc groups. In Proc. CRYPTO 2002, pages 465-480. Springer- Verlag, 2002. 
Lecture Notes in Computer Science No. 2442. 13, 14, 15 

[4] E. Bresson, J. Stern, and M. Szydlo. Threshold ring signatures and applications 

to ad-hoc groups, full version, http://www.di.ens.fr/ +bresson, 2002. 14, 15 

\bibitem{CamenischDa00}J. Camenisch and I. Damgard. Verifiable encryption, 
group encryption, and their applications to separable group signatures and sig- 
nature sharing schemes. In Proc. ASIACRYPT 2000, pages 331-345. Springer- 
Verlag, 2000. Lecture Notes in Computer Science No. 1976. 

[5] J. Camenisch and M. Michels. Separability and efficiency for generic group sig- 
nature schemes. In Proc. CRYPTO 99, pages 413-430. Springer- Verlag, 1999. 
Lecture Notes in Computer Science No. 1666. 13 

[6] R. Cramer, I. Damgard, and B. Schoenmakers. Proofs of partial knowledge and 
simplified design of witness hiding protocols. In Proc. CRYPTO 94, pages 174- 
187. Springer- Verlag, 1994. Lecture Notes in Computer Science No. 839. 14, 15, 
17 

[7] Y. Desmedt. Some recent research aspects of threshold cryptography. In Proc. 
First International Workshop on Information Security, ISW 97, pages 158-173. 
Springer- Verlag, 1997. Lecture Notes in Computer Science No. 1196. 13 

[8] A. Fiat and A. Shamir. How to prove yourself: Practical solutions to identification 
and signature problems. In Proc. CRYPTO 86, pages 186-199. Springer- Verlag, 
1987. Lecture Notes in Computer Science No. 263. 14, 21 

[9] D. Johnson, A. Menezes, and S. Vanstone. The elliptic curve digital signature 
algorithm (ECDSA). International Journal on Information Security, l(l):36-63, 
2001 . 12 

[10] J. Kilian and E. Petrank. Identity escrow. In Proc. CRYPTO 98, pages 169-185. 
Springer- Verlag, 1998. Lecture Notes in Computer Science No. 1462. 13, 19 

[11] .1. K. Liu, V. K. Wei, and D. S. Wong. Linkable and culpable ring signatures. 
Manuscript, 2003. 25 

[12] National Bureau of Standards FIPS Publication 186. Digital Signature Standard, 
1994. 12 

[13] K. Ohta and T. Okamoto. On concrete security treatment of signatures derived 
from identification. In Proc. CRYPTO 98, pages 354-369. Springer- Verlag, 1998. 
Lecture Notes in Computer Science No. 1462. 25 

[14] D. Pointcheval and J. Stern. Security proofs for signature schemes. In Proc. EU- 
ROCRYPT 96, pages 387-398. Springer- Verlag, 1996. Lecture Notes in Computer 
Science No. 1070. 25 

[15] M. O. Rabin. Digitalized signatures as intractable as factorization. Technical 
Report MIT/LCS/TR-212, MIT Laboratory for Computer Science, January 1979. 
21 

[16] R. Rivest, A. Shamir, and Y. Tauman. How to leak a secret. In Proc. ASIACRYPT 
2001, pages 552-565. Springer- Verlag, 2001. Lecture Notes in Computer Science 
No. 2248. 13, 14, 15 

[17] Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman. A method for obtaining 
digital signatures and public-key cryptosystems. Communications of the ACM, 
21(2):120-126, February 1978. 12, 21 

[18] C. P. Schnorr. Efficient identification and signatures for smart cards. In Proc. 
CRYPTO 89, pages 239-252. Springer, 1990. Lecture Notes in Computer Science 
No. 435. 12, 14, 21 



24 



Joseph K. Liu et al. 



[19] H. C. Williams. A modification of the RSA public-key encryption procedure. 
IEEE Transactions on Information Theory , IT-26(6):726-729, November 1980. 
21 

[20] D. S. Wong, K. Fung, J. K. Liu, and V. K. Wei. On the RS-Code construction of 
ring signature schemes and a threshold setting of RST. In 5th Inti. Conference on 
Information and Communication Security (ICICS 2003), pages 34-46. Springer- 
Verlag, 2003. Lecture Notes in Computer Science No. 2836. 14, 15 

[21] F. Zhang and K. Kim. ID-Based blind signature and ring signature from pairings. 
In Proc. ASIACRYPT 2002, pages 533-547. Springer- Verlag, 2002. Lecture Notes 
in Computer Science No. 2501. 14 



A Proof of Lemma 1 

Proof. Suppose on inputs of any set of t — 1 private keys St- 1 , any set of n 
public keys L, in which the corresponding public keys of the private keys in 
St - 1 are included, and any binary string m G {0,1}*, there exists a PPT E 
that outputs a forged signature a = (si, • • • , s n , f ) such that deg(/) = n—t with 
non- negligible probability pe • We construct from E a PPT B that solves DLP 
with non-negligible probability. That is, given ( p,q,g,y ), B outputs an integer 
x such that g x = y (mod p) with non-negligible probability. 

To get the black-box E run properly, B needs to provide a set of t — 1 
private keys St- i, a set of n public keys L, in which the corresponding pub- 
lic keys of the private keys in St— i are included, and some binary string m 
as inputs. To do this, B randomly generates a set of n — 1 public key pairs 
TI = {(Xi,(j>i,qi, gi,yi))}i<i< n -i where Xi G Z 9i and yt = g Xi (mod pf). Next 
B randomly picks t — 1 private keys from U and denotes the set to be St- 1 - 
Then B sets L to be the collection of all the public keys in 77 and (p, q, g, y) 
and m to be an arbitrary binary string. Without loss of generality, let 7r index 
(p, 9, 9, V ) in L. 

Besides, B also simulates E's point of view by constructing the random oracle 
G and the signing oracle SO. We first describe the construction of the signing 
oracle SO. On inputs a set of public keys L where n = \L\, i\, ■ ■ ■ ,i t such that 
1 < ij < n for 1 < j < t and t < n, and some binary string m G {0, 1}*, the 
answer is simulated as follows. 

1. Randomly generate cq, Ct+ 1 , • • • , c n Gr {0, 1} P . 

2. Construct / over GF(2 P ) such that deg(/) = n — t and /( 0) = co, f(i) = Ci, 
for i = t + 1 , • • • , n. 

3. Compute a = /( 1), ■■■ ,c. t = f(t). 

4. Randomly generate Si Gr for i = 1, ■ • ■ , n. 

5. Compute zt = y') 1 mod pi for i = 1, • ■ • , n. 

6. Assign co as the value of G(L, t, m, z±, ■ ■ • , z n ). 

7. Output (si, - ■ ■ ,s n , f). 

The simulation fails if step 6 causes collision, that is, the value of co has 
been assigned before. This happens with probability at most qc/ 2 P where qc is 



A Separable Threshold Ring Signature Scheme 



25 



the number of times that the random oracle G is queried by E. Since E only 
queries G for polynomially number of times, the simulation is successful with 
overwhelming probability. 

Let 0. fl be the random tapes given to the signing oracle and E such that 
E outputs a forged signature. Notice that the success probability of E is taken 
over the space defined by 0, fl and the random oracle G. The forged signature 
contains a polynomial / where /( 0) = G(L, t, m, z\, ■ ■ ■ , z n ) for Zi = g Si y{ ^ 
(mod pi), 1 < i < n. With probability at least 1 — 2~ p , there exists a query 
G(L, t, m, Zi, ■ ■ ■ , z n ) due to the assumption of ideal randomness of G. Split G 
as ( G~,cq ) where G~ corresponds to the answers to all G-queries except for 
Co- By invoking E with ( 0,fl,G~ ) and randomly chosen Cg (y^ cq ) polynomial 
times p'{qG)/PE , E outputs at least one forged signature a' = (s[, ■ ■ ■ , s' n , f) 
with probability pe / p" (qo), due to the heavy-row lemma [13] where p' and p" 
are some polynomial functions. Since (0, fl, G~) is fixed, z\ to z n are unchanged 
for both runs. Therefore, B can compute the discrete-log x = (s w — s'„) / (c^ — 
c n ) mod q. 

To see that c' n y^ c „ (that is, /'(7r) y^ /M), we notice that since /'( 0) y^ /( 0) 
and the degrees of / and /' are limited to n — t, there is at least one value 
1 < j < n such that /'(;/) y^ f(j). The chance of having j = tt is 1/n if 
7 r is randomly chosen. Hence the probability of having B succeed is at least 
Pe / (np" {qc)) which is non-negligible. 

Notice that in the tape rewind simulation above, forking lemma [14] or ROS 
(Rewind-on-Success) lemma [11] can also be used to derive the success proba- 
bility of machine B. □ 



B Proof of Lemma 2 

Proof. Let A be a PPT adversary who can forge signatures with non-negligible 
probability at least 1/Q\{k) when given a security parameter k, n RSA en- 
cryption functions and strictly less than t of the matching decryption functions 
where Q\ is some polynomial. Assume A makes qa queries to G, qs queries to 
the signing oracle SO, and a total of qn queries to Hi, ■ ■ ■, H n combined. We 
construct from A a PPT M that solves t copies of RSA-Collision with respect 
to t different encryption functions with non-negligible probability. 

A successful forgery a = (si, • • • , s n , f) generated by A with Turing transcript 
T (including coin flip sequences) is called an Aforgery if the first appearance in 
T of the query G{L, t, m, z\, ■ ■ ■ , z n ) is the Ath G-query, 1 < £ < qG + qs- Note 
Ci = /(*), 0 <i<rv,Zi = Hi(a ) + s^, 1 < i < n. 

M simulates A’s point of view by making G, Hi, ■ • -, H n independent random 
oracles, and implements the signing oracle SO by our signing algorithm similar 
to the construction described in the proof of Lemma 1. Additional specifications 
of A4 will be presented after some technical definitions. 

For each f, 1 < t < qc + qs, M. makes a simulation run described below. 
Random oracles are started anew for each pass. 



26 



Joseph K. Liu et al. 



In the £-th pass, M simulates A to obtain a = (si, • • • , s n , /). Then it 
rewinds to the £-th G-query and resimulates A from there onward to obtain 

d’ = (si i ■ ■ ■ j s n , /). 

There exists £ such that the probability of A generating an Gforgery is at 
least l/(Qi(k)(qG + qs ))■ By the heavy-row lemma, the probability of returning 
two successful Gforgeries in the £-th pass is at least 1/(4 Q\{k){qc + qs ) 2 )- 

Consider the case where two successful Gforgeries, denoted a = (si, ■ • • , s n , f) 
and a = (si, • • • , s n , /), are returned in the £-th pass of the simulation. The 
collision-freeness of H implies that /( 0) ^ /( 0), and / ^ f . Since both polyno- 
mials have degree n — t, there exist at least t integers, 1 < i\ < • • • < it < n, 
such that f(ij) ^ f(ij ), 1 < j < t. In the rewind simulation, the inputs to the 
£-th G-query are identical to the first simulation. Therefore, Zi = Hi(ci) + s = 
Hi(cii ) + 1 < i < n. Therefore, M has obtained the T desired sets of RSA- 

Collisions Zi = Hi(ci)+s f = H^Cij+s^ and (a, s,) ^ (cj, Sj), for i £ {ii, • • • , i t }. 
The complexity of M. is qc + qs times that of A. and the probability of success 
of M is at least 1/(4 Q\{k){qc + qs) 2 )- □ 

Remark: We have proven that if A can solve RSA-Collision with non- 
negligible probability, then A can forge signatures. The technique will be dis- 
cussed in another paper. 



On the Security of a Group Signature Scheme 
with Forward Security 



Guilin Wang 



Infocomm Security Department (ICSD) 
Institute for Infocomm Research (I 2 R) 

21 Heng Mui Keng Terrace, Singapore 119613 
http: //www. i2r . a-star . edu. sg/icsd/staf f /guilin 
glwang@i2r . a-star . edu . sg 



Abstract. A group signature scheme allows a group member of a given 
group to sign messages on behalf of the group in an anonymous and 
unlinkable way. In case of a dispute, however, a designated group man- 
ager can reveal the signer of a valid group signature. Based on Song’s 
forward-secure group signature schemes, Zhang, Wu, and Wang proposed 
a new group signature scheme with forward security at ICICS 2003. Their 
scheme is very efficient on both communication and computation aspects. 
Unfortunately, their scheme is insecure. In this paper we present a se- 
curity analysis to show that their scheme is linkable, untraceable, and 
forgeable. 

Keywords: digital signature, group signature, forward security, crypt- 

analysis. 



1 Introduction 

In modern electronic society, digital signatures are playing an important role to 
provide integrity, authentication and undeniability for electronic transactions. 
Group signatures, first introduced by Chaum and van Heyst in [14] , are a special 
type of digital signatures. In such a scheme each group member of a given group 
is allowed to sign messages on behalf of the group in an anonymous and unlink- 
able way. To check the validity of a group signature, a receiver only needs to get 
the unique group public key. However, with the exception of a designated group 
manager , anybody else can neither identify the identity of the signer nor de- 
termine whether multiple signatures are generated by the same group member. 
Furthermore, in case of later disputes, the group manager can “open” a group 
signature and then reveal the true signer’s identity. 

From the viewpoints of verifiers, only a single group public key is needed to 
verify group signatures. On the other hand, from the viewpoint of the signing 
group, its internal structure is hidden from verifiers while the signers’ identities 
can be revealed, if necessary. In virtue of these advantages, group signatures 
have many potential applications, such as e-voting, e-bidding and e-cash etc [15, 
20, 23, 21, 13]. 



J.I. Lim and D.H. Lee (Eds.): ICISC 2003, LNCS 2971, pp. 27-39, 2004. 
(c) Springer- Verlag Berlin Heidelberg 2004 



28 



Guilin Wang 



Following the first schemes constructed in [14], a number of new group signa- 
ture schemes and improvements have been proposed [15, 9, 22, 10, 2, 3, 19, 8, 24, 
12, 7]. In [15], Chen and Pedersen constructed the first scheme which allows new 
members to join the group dynamically, and suggested to use group signatures 
in e-bidding. Camenisch and Stadler proposed the first group signature scheme 
that can be used for large groups, since in their scheme the group public key and 
signatures have lengths independent of the group size [9]. Based on the strong 
RSA assumption [16], Camenisch and Michels presented an efficient group sig- 
nature scheme in [10, 11]. Later, Kim et al. extended their scheme to support 
efficient member revocation [19]. Ateniese and Tsudik pointed out some obsta- 
cles that stand in the way of real world applications of group signatures, such 
as coalition attacks and member deletion [2], In fact, there have been several 
papers which focused on the problem of member deletion [19, 8, 4]. Ateniese et 
al. presented a provably secure group signature scheme in [3]. 

Song addressed two important problems in group signature schemes, i.e. , how 
to deal with exposure of group signing keys and how to efficiently revoke group 
members [24]. Here, a group signing key is referred to all secrets that enable 
a signer to produce group signatures in [24]. In fact, a group signing key consists 
of the membership secret and the group membership certificate [9, 3]. Based on 
the idea of forward secure signatures [1, 6, 17], Song constructed the fist two 
forward- secure group signature schemes. In such a scheme, the expected system 
life-time is divided into T time periods, and each group member’s signing key 
evolves over time. In time period j+ 1, the signing key skj + \ is updated from the 
signing key skj for time period j by using a public one-way function, and then 
skj is erased from the system. When the signing key skj is compromised, an 
attacker cannot sign messages with respect to any previous period. Especially, 
he cannot derive any previous signing key which corresponds to a time period i, 
i < j. Furthermore, Song also extended her schemes to support group member 
revocation. In Song’s schemes, the group public key is affected neither by signing 
key update, nor by group member join or leave. 

In [28], Zhang, Wu, and Wang proposed a newly efficient forward-secure 
group signature scheme. Since signatures of knowledge (refer to [9, 3]) are not 
used, their scheme is really very efficient on both computation and communi- 
cation aspects. For example, the total computation cost of their signature gen- 
eration and verification is only 7 modular exponentiations, while 36 modular 
exponentiations are needed in Song’s schemes. At the same time, they claimed 
that their scheme satisfies all the desired security requirements (see Section 2). 
However, we find this is not the fact. 

In this paper, we present a security analysis of Zhang- Wu- Wang group signa- 
ture scheme with forward security [28]. More specifically, we demonstrate that 
their scheme is linkable, untraceable and forgeable. We first identify an effective 
way that allows anybody to determine whether two group signatures are signed 
by the same group member. Then, we demonstrate that any group member 
can forge valid signatures which cannot be opened by the group manager. This 
implies that their OPEN procedure fails to trace malicious group members. Fur- 



On the Security of a Group Signature Scheme with Forward Security 



29 



thermore, we prove that Zhang- Wu- Wang scheme is untraceable in essence , i.e., 
their scheme cannot meet the traceability if one just modifies OPEN procedure. 
Finally, under reasonable assumptions, a universally forging attack is presented. 
In this attack, even an outsider (not a group member) can forge valid group 
signatures on any messages of his choice. Therefore, Zhang- Wu- Wang scheme is 
insecure , though it is very efficient. 

The rest of this paper is organized as follows. In Section 2, we introduce the 
informal definitions of a forward-secure group signature scheme and the security 
requirements. Section 3 reviews Zhang- Wu- Wang scheme [28]. Then, our security 
analysis is presented in Section 4. Finally, Section 5 concludes this paper. 

2 Definitions 

A forward-secure group signature scheme involves a group manager , a set of group 
members , and a set of verifiers. The group manager (for short, GM) is responsible 
for admitting/revoking group members, and for opening group signatures to 
reveal the true signers. When a potential user registers with GM, he/she becomes 
a group member and then can sign messages on behalf of the group. A verifier 
checks the validity of a group signature by using the unique group public key. The 
computational capability of each entity is modeled by a probabilistic polynomial- 
time Turing machine. We now review the definitions of forward-secure group 
signature schemes and their security requirements as follows. For more formal 
definitions on this subject, please refer to [7]. 

Definition 1. A forward-secure group signature scheme is comprised of the fol- 
lowing procedures [9, 2, 3, 24, 28]: 

— SETUP : On input of a security parameter i, this probabilistic algorithm out- 
puts the initial group public key and the secret key for the group manager. 

— JOIN: An interactive protocol between the group manager and a user that re- 
sults in the user becoming a new group member. The user’s output is a group 
signing key, i.e., a membership secret and the corresponding membership 
certificate. 

— EVOLVE: An algorithm that on input a group signing key for time period j, 
outputs the corresponding group signing key for time period j + 1 . 

— SIGN: A probabilistic algorithm that on input a group public key, a group 
signing key, and a message m outputs a group signature on m. 

— VERIFY : An algorithm for establishing the validity of an alleged group sig- 
nature of a message with respect to a group public key. 

— OPEN : An algorithm that, given a message, a valid group signature on it, 
a group public key and the corresponding group manger’s secret key, deter- 
mines the identity of the signer. 

— REVOKE: An algorithm that on input a group member’s certificate, a group 
public key and the corresponding group manger’s secret key, outputs a revo- 
cation token that revokes the group member’s signing ability. 



30 



Guilin Wang 



Definition 2. A forward-secure group signature scheme is secure if it satisfies 
all the following security requirements [2, 3, 24, 28]: 

— Correctness: Signatures produced by a group member using SIGN procedure 
must be accepted by VERIFY procedure. 

— Unforgeability: Only group members are able to sign messages on behalf of 
the group. 

— Anonimity: Given a valid group signature for some message, identifying the 
actual signer is computationally hard for everyone but the group manager. 

— Unlinkability: Deciding whether two different valid signatures were gener- 
ated by the same group member is computationally hard for everyone but the 
group manager. 

— Excupability: Even if the group manager and some of the group members 
collude, they cannot sign on behalf of non-involved group members. 

— Traceability: The group manager can always open a valid group signature 
using OPEN procedure and then identify the actual signer. 

— Coalition-resistance: A colluding subset of group members cannot generate 
a valid group signature that cannot be traced by the group manager. 

— Revocability: The group manager can revoke a group member’s signing 
ability so that this group member cannot produce a valid group signature any 
more after being deleted. 

— Forward security: When a group signing key is exposed, previously gener- 
ated group signatures remain valid and do not need to be re-signed. 



3 Review of Zhang- Wu- Wang Scheme 

3.1 SETUP Procedure 

The group manager (GM, for short) randomly chooses two large primes p\, P 2 of 
the same size such that p\ = 2p' x + 1 and P 2 = 2p 2 + 1, where both p\ and p' 2 are 
also primes. Let n = P 1 P 2 , and G = ( g ) be a cyclic subgroup of Z* . Usually, G 
is selected as the set of quadratic residues modulo n [10, 3, 24], i.e., g’s order 
ord(g) = p\p' 2 . GM randomly chooses an integer x as his secret key, and then 
sets his public key as y = g x mod n. GM selects a random integer e (e.g., e = 3) 
which satisfies gcd(e, (f(n )) = 1, and computes d such that de = 1 mod </>(n). Let 
h(-) be a publicly known coalition-resistant hash function (e.g., SHA-1, MD5). 
The expected system life-time is divided into T intervals and the intervals are 
publicly known, (c, s) = SPK{"f : y = g~ 1 }{ ) denotes the signature of knowledge 
of log 9 y on the empty message (see [9, 3] for details). Finally, the group manager 
publishes the public key ( y,n,g,e,hf),IDcM,T ) , where IDqm is the identity 
of the group manager. 

3.2 JOIN Procedure 

If a user, say Bob, wants to join the group, he executes an interactive protocol 
with GM. Firstly, Bob chooses a random number k £ Z* as his secret key, and 



On the Security of a Group Signature Scheme with Forward Security 



31 



computes his identity IDs = g k mod n. Then, Bob generates the signature of 
knowledge (c, s) = SPK{k : IDb = g k }{ ) to show that he knows a secret 
value k to meet IDb = g k mod n. Finally, Bob keeps k privately and sends 
(. IDs , (c, s)) to the group manager. 

Upon receiving ( IDb,{c,s )), GM first verifies the signature of knowledge 
(c, s). If the verification holds, GM chooses a random number a £ Z*, and 
computes a triple (rs , sb , Wb 0 ) from 

tb = g a mod n, SB = a + rsx, wb 0 = {i’bIDgmIDb) - ' 1 ' mod n. 

Then, GM sends Bob (sb, Gb, u>b 0 ) via a private channel, and stores (sbDb, 
wb 0 ) together with ( IDs , (c, s)) in his local database. Bob accepts (sb, t"b, wb 0 ) 
as his initial membership certificate if the following two equalities hold. 

g SB = TBy rB mod n, and vbIDqmIDb = WB 0 ~ e mod n. (1) 

3.3 EVOLVE Procedure 

Assume that Bob has the group membership certificate (sb, £b, res, ) at time 
period j. Then at time period j + 1, he updates his group membership certificate 
as (sB,r B ,WB j+ J by computing 



w B 






{ w Bj ) e mod n (= ( r B ID G MlD B ) 



mod n) . 



(2) 



3.4 SIGN Procedure 

Let (sB,rB,u>Bj) be Bob’s group membership certificate at time period j. To 
sign a message m, Bob randomly chooses two numbers q 1,(72 £ Z*, and com- 
putes Zi,u,r±,r 2 ,r 3 as follows: 

z\ = g qi y q2 mod n, 
u = h(zi,m), 

r 2 = w'b- mod n, (3) 

ri = qi + ( sb + k) ■ u ■ h(r 2 ) (in Z), 

^3 = qi - r B ■ u ■ h(r 2 ) (in Z). 

The resulting group signature on m is er = (u, 7T,r2,r3,m, j). 



3.5 VERIFY Procedure 



Given a = (u, r \ , r 2 , ^ 3 , m, j ) , a verifier accepts it as a valid group signature on m 
if and only if u = h(z[, m), where z[ is computed by 



J — td 

~i — 11J GM 



Hr2) ri h{r 2 )-e 



9 



y r3 mod n. 



,T-j 



(4) 



32 



Guilin Wang 



3.6 OPEN Procedure 

Given a group signature cr = (u,ri,r 2 ,r 3 ,m,j), if necessary, GM can open it 
to reveal the actual identity of the signer who produced the signature. GM first 
checks cr’s validity via VERIFY procedure. If cr is a valid signature, GM operates 
as follows to find the signer’s identity: 

(1) Compute ?7 = l/(it • h{r 2 )) mod <p(n ). 

(2) Compute z[ = IDq^ 2 ' 1 g ri r 1 ^ r2 ' > ' e y r 3 mo d n. 

(3) Search his database to find a pair ( ID B ,r B ) that satisfies the following 
equality: 

r B ID B = (g ri y r3 /z[) v mod n. (5) 

(4) If there is a tuple ( r B ,ID B ) satisfying the above equation, GM concludes 
that ID b is the identity of the actual signer. Otherwise, output _L. 



3.7 REVOKE Procedure 

If GM wants to revoke Bob’s membership certificate at time period j, he pub- 
lishes a revocation token (Rj,j) in the CRL (the Certificate Revocation List), 
where the value Rj is computed by 



Rj = ( r B ID B ) d 3 mod n. (6) 

Given a valid group signature a = (u,ri,r 2 ,r 3 ,m,j), a verifier can identify 
whether a is produced by a revoked group member. For this sake, he performs 
as follows: 

(1) Compute z[ = e y rs mod n. 

(2) Search all (Ri, i ) ( i ^ j) in CRL to check whether there is a Ri [i ^ j) such 
that the following equality holds: 

g ri y r3 = z[(Rf~ i ) u Hr2) mod n. (7) 

(3) If one such Ri ( i ^ j) is found, the verifier concludes that the signature cr 
is revoked, i.e. , it is generated by a group member after he is deleted. 

4 Security Analysis of Zhang- Wu- Wang Scheme 

In [28], Zhang et al. analyzed the security of their scheme, and concluded that 
their scheme satisfies all the security requirements listed in Section 2. However, 
we find that this is not the fact. 



On the Security of a Group Signature Scheme with Forward Security 



33 



4.1 Linkability 

Let a = (u, ri, r2, r"3, m, j) and a = (ft, f\, F2, F3, fh, j) be two (valid) group sig- 
natures. To decide whether they are signed by the same group member, a verifier 
only needs to check whether the following equality holds. 

r 2 = f 2 mod n. (8) 

In fact, if both a and a are signed by the same group member, say Bob, 
according to SIGN procedure, we know that r 2 = (wB j ) uu mod n = f 2 mod n. 
So the above equality holds for er and a. 

On the other hand, we can show that if er and er are signed by two differ- 
ent group members, say Bob and Charlie, respectively, equation (8) unlikely 
holds. To prove this claim, on the contrary, we assume that er and er satisfy 
equation (8). Let Tb = g a mod n, rc = g a mod n, IDb = g k mod p , and 
IDc = g k mod p. Since er is signed by Bob, and ef is signed by Charlie, we 
have r 2 = (w_b 3 )“' u mod n , and f 2 = ( wc j ) u ' u mod n. From r 2 = f 2 mod n, we 

have {tbI DqmI D B)~ uudT 3 = ( rcIDGMlDc)~ uud,T 3 mod n. So, the follow- 
ing equation holds 

g (k-k+a-&)uud T -l = 1 mod n ( 9 ) 

Since ord(<?) = p\p' 2 , gcd (d, <f>{n )) = 1, and <fi(n) = ^p^p^, we know gcd(d, ord(g)) 
=1. At the same time, usually |/i(-)| = 160, and |pi| = \p' 2 \ ^ 255, thus we 
also have gcd(uu, ord(5)) = 1. Therefore, from equation (9), we conclude that 
ord(g)|(fc — k + a — a), i.e. , (k—k + a — a) = 0 or (fc — k + a — a) = b- ord(g) for 
some non-zero integer b. However, both cases unlikely happen, because ord (g) is 
the product of two large primes, a and a are random numbers selected by GM, 
and k and k are random numbers selected by Bob and Charlie, respectively. 

Furthermore, equation (8) can be generalized to link two signatures which 
are generated by the same group member at different time periods. That is, 
given two group signatures a = (u,ri,r 2 ,r 3 ,m,j) and a = (u, rq, 7^, ^3, fh, *) 
where j > i, one can know whether the same group member generated them by 
checking 

rl = mod n. (10) 



4.2 Untraceability 

In this section, we demonstrate an attack that enables a group member Bob to 
forge a valid certificate. Then, using this forged certificate, he can generate valid 
group signature on any message of his choice without being traced. Firstly, we 
note that it seems difficult to forge a new pair (fs, Ss) so that the first equation 
in (1) is satisfied, since Bob does not know GM’s secret key x. However, Bob 
can change the values of wb 0 and IDs , and get a new certificate. For this sake, 
he chooses a random number a £ Z n , and defines wb 0 , IDb and k as follows: 

Wb 0 = WB 0 g a mod n, IDs = IDs • g~ ae mod n, k = k — ae T (in Z). (11) 



34 



Guilin Wang 



In the following, we show that the tuple (s B , tb, w B o ) with respect to ( ID B ,k ) 
constitutes a valid group membership certificate. Firstly, it is easy to know 
that IDg = ID B g~ ae mod n = g k ~ a ' e mod n = g k mod n. Secondly, we 
have g SB = r B y TB mod n. Finally, the following equalities hold 

r B ID GM IDB = ( vbIDgmIDb ) ■ g~ aeT mod n 

_ T _ T 

= wb 0 e ■ g ae mod n 

T 

= ( wb 0 ■ g a )~ e mod n 

T 

= w Bq mod n. 

Therefore, according to JOIN procedure, Bob obtains another new certificate 
(s B ,r B ,WB 0 ) with (ID B ,k). Using this tuple ( SB,r B ,WB 0 ,ID B ,k ), Bob can 
generate valid group signatures on arbitrary messages. According to OPEN pro- 
cedure, when such forged signatures are presented, Bob will not be traced as 
the signer since r B ID B ^ r B ID B mod n. Therefore, the OPEN procedure pro- 
vided by [28] fails to trace such malicious group members. A natural question is 
whether we can improve this OPEN procedure such that it can reveal the identi- 
ties of malicious group members. Unfortunately, the answer is negative. In other 
words, Zhang- Wu- Wang scheme is untraceable in essence, i.e., two malicious 
members may forge the same valid but untraceable group signature on a given 
message. More formally, we have the following theorem. 

Theorem 1. Using the above attack, the forged group signatures generated by 
two malicious members for the same message are perfectly indistinguishable. 

Proof: We only need to prove that if Bob forges a group signature a on a mes- 
sage m, Charlie can also generate it by using our above attack. For simplicity, let 
sk B ,j = (s B , r B ,yJ Bj , ID B ,k), and fsk B ,j = (s B , rB,w Bj ,ID B ,k), where w Bj = 
Wg ,_ i mod n = Wg g mod n, and w Bj = ti}^ mod n = u>g o mod n. sk B ,j and 
fsk B ,j denote Bob’s signing key and forged signing key at time period j, respec- 
tively. Here, w Bo ,IDb and k are computed by Bob as in the above attack, i.e., 
Bob selects a random number a and calculates the values of them from equa- 
tion (11). To forge a group signature on message m, he randomly chooses two 
numbers q\,q 2 &r Z*, and computes zi = g qi y q2 mod n, u = h(zi,m), r 2 = 
w mod n, rq = qi + ( s B + k)uh(r 2 ) (in Z), and r^ = qq — r B uh{r 2 ) (in Z). 
<7 = (u, r\, r2, r 3 , m, j) is the resulting forged group signature on message m. 

Now, we show that Charlie can forge a group signature cr' on the same mes- 
sage m such that o' = o, if he chooses an appropriate number a' to define his 
forged signing key, and two specific numbers q[ and q' 2 to produce group signa- 
ture. Let sk G ,j = ( sc, re , w Gj , IDc , k') be Charlie’s signing key at time period j, 
where s G = of + r G x, rc = g a mod n, IDc = g k mod n, w Gj = Wc a mod n, 
and wc 0 = ( rcIDcMlDc)~ d mod n. To forge a new membership certificate, 
Charlie first sets a' = a — (k + a — k! — a') ■ e~ T mod ord(g). This means that 
there exists an integer l such that k! + a' — a'e T = k + a — ae T + l ■ ord(g). And 
then, according to equation (11), he defines u>c 0 ,IDc and k' as follows: 

wc 0 = w Co g a mod n, IDc = IDcg~ a e mod n, k! = k! — a! e T (in Z). (12) 



